Posted by Niels on 02/11/05 20:27

Hi,

Richard Lynch wrote:
> I suspect that people who looked into doing this fall into two categories:
>
> Those who heeded the experts who told them "Don't do that" and didn't do
> it.
>
> Thoee who ignored the experts, went ahead and did it, and cobbled together
> enough band-aid security measures to be "Okay" with it, but not something
> they want to publish what they did, because then it would be too easy to
> attack them.
>
> Actually, there's probably a third category: Those who don't even really
> own their own machines any more because they got root-ed. :-v
>

I know you're trying to cheer me up, but this isn't helping! ;-)

I have this theory that if what you're trying to protect is important
enough, somebody will get through the security barriers eventually. That
goes double for the internet. A good point that I've failed to bring up is
the question "How secure do you need it to be?". I think that's an
important consideration.

Your three groups sound quite accurate, but my big problem is that when a
program _has_ to do these things, I'm left in group #2, because I can't
find any tried-and-tested methods. This is not usually the case with PHP,
the community always seems to provide good solutions. I'm left in group #2
until I've become an expert in this myself, several unpaid years into the
future...

Webmin is a common tool, and if their security measures don't hold up, then
we're in big trouble. I believe they're using PAM somehow, I'll look into
that. Until then, it's a sudo scheme.


Thanks again,
Niels

[Back to original message]