Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 182574 - Security Handbook: 3 misleading informations found
Summary: Security Handbook: 3 misleading informations found
Status: RESOLVED FIXED
Alias: None
Product: [OLD] Docs on www.gentoo.org
Classification: Unclassified
Component: Other documents (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: nm (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-19 12:16 UTC by Marco Squarcina
Modified: 2007-07-08 21:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marco Squarcina 2007-06-19 12:16:51 UTC 
1) 5.b. /etc/limits:
"Here we set the default settings and a specific setting for the user kn. Limits are part of the sys-apps/shadow package. It is not necessary to set any limits in this file if you have disabled pam in make.conf or not configured PAM properly."

/etc/limits is used when you don't have /etc/security/limits.conf provided by PAM, so why one shouldn't use it with pam disabled?

2) 10.a. Apache
Listen 127.0.0.1

This will cause apache to be accessible *ONLY* from localhost... I don't think this is an intended behavoiur...

3) 10.k. ssh
The same with sshd:
ListenAddress 127.0.0.1

The host will be unreachable from a remote client with this option



Thanks,
Marco
Comment 1 Steve L 2007-06-21 03:16:19 UTC 
With regards to 2 and 3, it is standard to only allow localhost connections as 
default. It does say:
#Make it listen on your ip
..but what default is supposed to be provided? It's not like we know their 
external IP is it? ;)
This way, if a user just copies everything they can still test the service and 
use it as a local development box. If they don't know that 127.0.0.1 is 
localhost, or what their own IP is, I don't personally think it's wise to open 
the service up for remote use. The default settings should be secure.
Comment 2 nm (RETIRED) gentoo-dev 2007-06-21 03:30:35 UTC 
/etc/limits: Why not? Because as far as I know, nothing else will use it if PAM is disabled.

Apache and ssh: those are just the defaults; you are obviously supposed to modify them for your own system...and we can't guess what those values should be.

Not a bug, but you have made me review some stale security handbook files that I will shortly update. :)
Comment 3 SpanKY gentoo-dev 2007-06-21 04:54:29 UTC 
mmm i'm not sure about the apache/ssh things ... how many people out there have more than one IP ?  i feel like the default person setting up their system, neither line is of any real value

as for 5.b, the logic seems to be inverted ... this statement:
It is not necessary to set any limits in this file if you have disabled pam in make.conf or not configured PAM properly.

should probably read:
It is not necessary to set any limits in this file if you have enabled pam in make.conf.
Comment 4 Steve L 2007-06-21 16:22:09 UTC 
(In reply to comment #3)
> mmm i'm not sure about the apache/ssh things ... how many people out there have
> more than one IP ?  i feel like the default person setting up their system,
> neither line is of any real value
> 
Hmm, maybe for sshd in that people usually set it up for someone to login and help, but in the case of apache the default setup is fine. On a workstation, I feel it should default to localhost until the user changes it. Adding a note to mention that users should set their own IP does make sense, however.
Comment 5 nm (RETIRED) gentoo-dev 2007-07-08 21:31:49 UTC 
Fixed with vapier's suggestions.