[irrelevant lists removed]

On Fri, Jan 12, 2007 at 01:24:24PM -0500, Steven M. Bellovin wrote:
> > But still, I find it difficult to believe how quickly people assume the
> > box is rooted just because a user account was compromised. Is it really
> > that easy to get root on NetBSD? Or is it just simply unknown how many
> > compromises there are?
> 
> It's unknown and unknowable.
> 
> To take a random example, here's the current vulnerabilities list from
> idefense.com:
> 
> [...]
> 
> Note that this list is just for this month -- new vulnerabilities just
> announced within the last two weeks.  At least five of them could affect
> NetBSD users.  The X vulnerabilities affect XFree86 and Xorg; I wouldn't
> be surprised if vnc were vulnerable, too.  The X vulnerabilities, I
> should note, are described as local exploits.  (Aside: that site likes
> you have Javascript enabled, but often the workaround for browser holes
> is "disable Javascript"....)
> 
> Want more?  There were 27 security advisories for NetBSD last year alone.
> On January 1, 2006, pkg-vulnerabilities was 1657 lines long; today, it's
> 2385 lines long.

So, you guys have no local users on your systems ... ?

Isn't that exactly why many daemons (mail, web, dns, ...) run as non-root;
if they get cracked, the entire system is not compromised?  The concept of
unprivileged users is the corner stone of the UNIX security model.

	Geert