Game-security bug lessons: -------------------------- DSA-334, 354, 356, 368, 369... - vulnerability in application setGID games = compromise of users running any games in the system #291613 - setGID games should not write in user's dirs without dropping privs Are global hiscores worth it? #255434 - Some security bugs are not fixed by (almost) MIA maintainers even if they are oneliners. - Non-free stuff is not security supported (but our users might not be that much aware of it) #287604 lessons: - obsolete software bug-ridden gets into our stable release #287651 lessons: - ancient (and unaudited) software contains lots of security bugs - maintainers (wishfully) think that bugs in old versions is not present in newer ones #323386 lessons: - Maintainers sometimes fix security bugs in unstable (through upstream) but neglect to fix them in stable or maintain the bug for testing! #291635 lessons: - Unaudited software should not be used in CGI gateways #291389 lessons: - Some programing languages don't provide easy-to-use security functions #289562 lessons: - Make sure the files belong to the proper users when checking their existance #334616 Lessons - Most software does not need root privileges to run - Network attacks restricted to localhost = local attacks - A network server should use authentication DSA 656 - Disable a server is no security measure, users will start it up Design it properly for this event. - Maintainers don't heep upstream's comments (INSTALL file, 'don't run as root!') - It's difficult to do a redesign in a DSA (#287899) (overwrite any file -> write anywhere as root) - Don't invent new protocols without authentication DSA-893 lessons: --------------- - Upstream doesn't always know how to fix security bugs - Security bugs of some packages might affect other packages with common codebase - It's better to restrict access to sensitive web interfaces by default (security bug in default install -> security bug enabled by admin) - Fixes for SQL injection bugs and XSS bugs in PHP apps are similar: check your input! - A security fix is not always 100% thorough ("time to fix" pressure) Temporary audit: --------------- - Software does not use $TMPDIR but hardcodes /tmp - Many situations (persistence), temp files should be on user's directories instead of under /tmp