[ale] Help with server setup

[ecashin at noserose.net (Ed Cashin)]

On Tue, Sep 15, 2009 at 4:47 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> There's all kinds of hardening that can be done. Disable root login,
> remove mount command, make the entire / directory read only. You have
> to balance security locks vs. usability.

I see, yes.  I suppose I figure that exploits come along every so
often that give folks root via strange stuff like,

  * buffer overflow in httpd allows arbitrary command to run
    as "web" user

  * as web user, elevate to root using a local root exploit

  * as root, remount / as read-write

  * profit!

(I could not resist an underpants gnomes reference.  ;)

There's a balance in security, but I like the way the FreeBSD
immutability provided an easy way to take much of the danger
from privilege escalation without more inconvenience than I
felt comfortable with, since I knew I didn't have time to fix
the system right away if something had happened.

-- 
  Ed Cashin <ecashin at noserose.net>
  http://noserose.net/e/