Re: UnixWare

[jkb () mrc-lmb cam ac uk (Bonfield James)]

Perry writes:

> Casper Dik says:
> > A number of SunOS ones: divide by zero, imul, idiv emulation (two
...
> Compare this to the almost weekly reports of security bugs at user
> level, and I believe my point is proven. Kernel security bugs show up
> maybe once every year or two -- none that I know of has appeared in
> 4.1.X SunOS, and its been running for several years now.

There ARE still bugs in the SunOS 4.1.X kernel. I'm also certain that there
are plenty more unknown bugs in the kernel. However...

> Just looking at SunOS, there have been three sendmail bugs, some rdist
> bugs, some bugs with SUID LD_LIBRARY_PATH handling, etc, etc. One
> shows up every few months.

Point taken. The number of user level bugs far outweighs the kernel bugs.
Many of these recent bugs have also been shown to be simple bad design - bugs
in programs (or parts of programs) that never needed their special privilages
anyway.

> I agree that one must keep track of the bugs out there, BUT if one is
> running a public access system that one expects to be regularly
> attacked, its probably better to make the system inherently safe by
> removing the places that security bugs could crop up.

Good examples of this are having very good backup strategies (that take into
account the possibility of something being modified and hence backed up);
decent logging, preferably to a hard copy or another system; and removal of
all unneeded services.

        James
--
James Bonfield (jkb () mrc-lmb cam ac uk)   Tel: 0223 402499   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.