Hi, On Mar 7, 2005, at 18:12, Kyriakos G. Ginis wrote: > On Mon, Mar 07, 2005 at 04:31:32PM +0000, owen maroney wrote: >> >> service seemed secure. A gsiftp server, allowing users to upload >> files >> to the CE, can be particularly dangerous in this regard (just get the >> file permissions wrong in exactly the right place...) > > Keep in mind that globus-job-run could also be used in a malicious way > on your CE (and perhaps is more dangerous than gsiftp), so I doubt if > by > disabling globus-gridftp on the CE you are actually increasing its > security. > On the contrary, you most certainly ARE increasing its security. Most attacks work by combination of circumstances. For example buffer overflow attacks are typically dangerous because of the combination a) buffer overflow allowing attacker to insert arbitrary code to be executed and b) the overflow is in a program that is running with root privileges. The question is HOW MUCH are you increasing security by disabling a given service. The answer might be "not very much at all" ... and it probably is, but without any other information I am guessing you would have to assume it scales like the number of possible combinations of services. This is bad, because the number of possible combinations tends to scale like a factorial ... naively (ie having no other information whatsover except that I am running some services) I might expect that running five services would be six times more secure than running six. JT