[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] number of eggs in a basket

To: Jan Schaumann <jschauma@netmeister.org>
Subject: Re: [SAGE] number of eggs in a basket
From: "Richard Johnson" <rdump@river.com>
Date: Fri, 7 Jan 2005 21:09:34 -0700
Cc: sage-members@sage.org
In-Reply-To: <20050106223237.GK18275@netmeister.org>
References: <20050106223237.GK18275@netmeister.org>
Sender: owner-sage-members@usenix.org

At 17:32 -0500 on 2005-01-06, Jan Schaumann wrote:
> I have a system that basically is a single point of failure:  if it's
> down, nothing goes.  The services on that machine are WWW, NIS, NFS and
> mail.  Mail is delivered to ~/.mail so mail can be read via NFS and need
> not be fetched.

I watched folks at my day job make just that mistake.  One stolen password
later, and they were rebuilding every single workstation in the department
as well.  Setuid binary "mistakes" like the one used to compromise the
workstations are easy to make when you let users log in to an NFS server...

That kind of oops converts a compromise of just one basket into a
multi-basket deal, and likely makes your organization into a basket case.

If you must use NFS, don't let users onto the server, and make sure that
the clients all mount safely.

For similar reasons, you probably don't want user accounts on a web server
either.  Put 'em on a publishing server instead, and push the files over.

The goal for anyone who has been through what my coworkers had to do
swiftly becomes one of minimizing the number of baskets they have to
rebuild on an emergency basis. ;-)

Richard

References:
- [SAGE] number of eggs in a basket
  - From: Jan Schaumann <jschauma@netmeister.org>

Prev by Date: Re: [SAGE] number of eggs in a basket
Next by Date: Re: [SAGE] number of eggs in a basket
Prev by thread: Re: [SAGE] number of eggs in a basket
Next by thread: Re: [SAGE] number of eggs in a basket
Index(es):
- Date
- Thread