> From pb @
fr Thu Feb 20 12:44:01 1997
> Date: Thu, 20 Feb 1997 19:18:45 +0100
> From: Pierre .
fr (Pierre Beyssac)
> To: long-morrow @
> Cc: cowboy @
nl, jeromie @
com, firewalls @
> Subject: Re: Web server security
> X-Mailer: Mutt 0.59.1e
> Mime-Version: 1.0
> Content-Length: 1405
> According to long-morrow @
> > because the server process or the Mac itself might crash during the
> > night and stay down until morning. Unix and NT machines -- though
> > more likely to be broken into -- are more reliable at keeping server
> > processes up and running (they can even babysit them and restart them
> It might be understood that you're saying that Unix and NT are
> _inherently_ less secure than MacOS (the same claim is made for Unix
> vs NT).
> But it should be made clear that this is _only_ a consequence of the
> fact that many more services are available "out of the box" on Unix
> than on NT, and on NT than on MacOS. A cracker can't login on a machine
> if it allows no remote login. Even less it the OS doesn't allow that
> because you didn't purchase the option, of course.
> But if you want to secure a Unix machine as much as possible, you
> can perfectly disable _all_ external services except the HTTP server,
> making it as secure as MacOS. And much more reliable. You can even
> remove rlogind, telnetd and the like if you're really paranoid.
> Then you need to choose a secure HTTP server, which is a different
> thing. Having a secure OS will not magically secure your HTTP server !
> Bugs recently discovered on NT servers (for example the ../.. stuff)
> have generally been fixed two or three years ago on Unix HTTP servers.
> They're just 2 or 3 years more mature...
> Pierre .
My logic was this. In a UNIX/NT environment there is a command-line
interface, whereas a MAC has none. In a UNIX/NT environment it may be possible to pass commands to a CLI, whereas it wouldn't be feasible in a MAC...
In a UNIX/NT box, you have to worry about if people can get to the CLI,
as well as worrying if they can throw system calls into be processed. In a MAC,
you only have to worry about if they can embed system calls...