What are the real vulnerabilities of Ubuntu?

[ubuntu_demon]

What are the real vulnerabilities of Ubuntu?

This is a nice article :

What are the real vulnerabilities of Linux?
http://www.newsforge.com/article.pl?.../12/01/2329229

I would like to know more about SELinux and Ubuntu
http://www.ubuntulinux.org/wiki/HoaryGoals
SELinux - Needs proof of concept derivative

I would like firestarter in ubuntu main and installed by default in hoary

I would like to know if the security settings of the default install of hoary are going to be equal to those generated by hardening scripts like Bastille (rendering them largely useless)

[daniels]

There would be no point to having Firestarter around, because we don't have any open ports by default. So you could have it running if you wanted to feel better, but there's nothing for anyone to connect to anyway. Efforts like Firestarter and Bastille have been based around the idea of securing already-running services, instead of just not running them and having them publicly visible anyway.

[ubuntu_demon]

Quote:

Originally Posted by daniels There would be no point to having Firestarter around, because we don't have any open ports by default. So you could have it running if you wanted to feel better, but there's nothing for anyone to connect to anyway. Efforts like Firestarter and Bastille have been based around the idea of securing already-running services, instead of just not running them and having them publicly visible anyway.

okay cool

What is your opinion about SElinux and Ubuntu? And how's the progress if any ?

[jdong]

Quote:

Originally Posted by daniels There would be no point to having Firestarter around, because we don't have any open ports by default. So you could have it running if you wanted to feel better, but there's nothing for anyone to connect to anyway. Efforts like Firestarter and Bastille have been based around the idea of securing already-running services, instead of just not running them and having them publicly visible anyway.

Can you guys set debconf to NOT put newly installed daemons in the default runlevel? I think that should be a conscious, self-made decision. (or prompt the user, like you can make sarge do)

[daniels]

It's not a debconf thing -- we'd need to change either update-rc.d, or change debhelper and then rebuild every package (rebuilding every package will not happen; if it gets rebuilt due to a new version, cool).

[jdong]

Well, can we do one of the two for Hoary? I know that my old Debian Sarge installation prompted me before enabling a Daemon.

[daniels]

I'll check it out.

[Hikaru79]

Quote:

Originally Posted by demon666_nl I would like firestarter in ubuntu main and installed by default in hoary

Just think about all the people we'd have in here and the Wiki and the IRC channel pleading about 'why is my bittorrent so slow' or 'why can't I connect to such-and-such an XDCC bot?' I agree with daniels; let those who are interested in the firewall get it themselves. For everyone else, it's probably more trouble than it's worth to solve all of the problems it will cause.

[ubuntu_demon]

Quote:

Originally Posted by Hikaru79 Just think about all the people we'd have in here and the Wiki and the IRC channel pleading about 'why is my bittorrent so slow' or 'why can't I connect to such-and-such an XDCC bot?' I agree with daniels; let those who are interested in the firewall get it themselves. For everyone else, it's probably more trouble than it's worth to solve all of the problems it will cause.

True. I tend to forget my own plees about making stuff easy for the average-desktop-user. I tend to forget people don't even understand the easy interface of firestarter. Lot's of people don't understand anything about firewalls. It's a good thing we don't really need them in Ubuntu.

[jdong]

Daniel, I disagree about firestarter. The way you guys configured debconf, all newly installed daemons will listen on all interfaces, so as soon as you start apt-getting apache and stuff, you'll start getting open ports!


I like using Firestarter to prevent me from doing something really stupid, like leaving samba open on the wrong interface! LOL