Hi,
On Mar 7, 2005, at 18:12, Kyriakos G. Ginis wrote:
> On Mon, Mar 07, 2005 at 04:31:32PM +0000, owen maroney wrote:
>>
>> service seemed secure. A gsiftp server, allowing users to upload
>> files
>> to the CE, can be particularly dangerous in this regard (just get the
>> file permissions wrong in exactly the right place...)
>
> Keep in mind that globus-job-run could also be used in a malicious way
> on your CE (and perhaps is more dangerous than gsiftp), so I doubt if
> by
> disabling globus-gridftp on the CE you are actually increasing its
> security.
>
On the contrary, you most certainly ARE increasing its security. Most
attacks work by combination of circumstances. For example buffer
overflow attacks are typically dangerous because of the combination a)
buffer overflow allowing attacker to insert arbitrary code to be
executed and b) the overflow is in a program that is running with root
privileges.
The question is HOW MUCH are you increasing security by disabling a
given service. The answer might be "not very much at all" ... and it
probably is, but without any other information I am guessing you would
have to assume it scales like the number of possible combinations of
services.
This is bad, because the number of possible combinations tends to scale
like a factorial ... naively (ie having no other information whatsover
except that I am running some services) I might expect that running
five services would be six times more secure than running six.
JT
