On Wed, 2005-11-30 at 10:36 +0800, John Summerfied wrote:
I had some difficulty accessing material outside of /var/www as user
Apache, on WBEL.
Maybe exploiting the hypothetical kernel bug doesn't require access to
anything particular in the filesystem...
Because the risk of breaking things, especially with Fedora, is
greater.
This hasn't been my experience.
I have seen two successful attacks against Linux systems in the time
since I deployed my first Linux server, running RHL 4.0.
I've seen many more. Linux boxes get rooted, en masse and all the time.
Running software with known vulnerabilities is a major factor in this.
Both were on account of weak passwords.
This is what's left after you patch known vulnerable software. That and
0-day exploits.
OTOH I cannot count the number of broken systems I've seen when
upgrades
failed, when upgrades succeeded but their content was broken, when
hardware failed.
Of all the servers I manage (and all of them use automatic updates) I
have never had any issues due to software updates. I concede, though,
that I don't use stock kernels on servers, but customised and hardened
ones. Hence, there have been no automatic kernel updates.
On workstations I use manual update (as I mentioned earlier) since I
wouldn't risk losing 3D screen savers due to a missing nvidia kernel
module, but I check daily.
So there you are, no penetrations at all on account of software
vulnerabilities in umpteen years.
This is very atypical. Are your systems networked?
Cheers
Steffen.