Received: with LISTAR (v1.0.0; list gopher); Tue, 22 Jan 2002 08:56:37 -0500 (EST) Return-Path: Delivered-To: gopher@complete.org Received: from christoph.complete.org (unknown [168.215.193.254]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "christoph.complete.org", Issuer CN "John Goerzen -- Root CA" (verified OK)) by pi.glockenspiel.complete.org (Postfix) with ESMTP id 6A1053B80B; Tue, 22 Jan 2002 08:56:37 -0500 (EST) Received: by christoph.complete.org (Postfix, from userid 1000) id 1AE871327B; Tue, 22 Jan 2002 08:56:37 -0500 (EST) To: gopher@complete.org Subject: [gopher] Re: Security issues in Gopher? References: From: John Goerzen Date: 22 Jan 2002 08:56:36 -0500 In-Reply-To: Message-ID: <87pu42ebfv.fsf@complete.org> Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-archive-position: 378 X-listar-version: Listar v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: jgoerzen@complete.org Precedence: bulk Reply-to: gopher@complete.org List-help: List-unsubscribe: List-software: Listar version 1.0.0 X-List-ID: Gopher List-subscribe: List-owner: List-post: List-archive: X-list: gopher Robert Hahn writes: > of Gopher, I'm wondering: with the recent work that has gone into it, > have the programmers for the project made an effort to tackle security > on a proactive basis instead of a reactive one? I would hardly be > unique by saying I don't want my system hacked. :) Yes. Several people have gone at the code removing the most onerous of the buffer overflows -- hundreds of fixes in all. This does not mean that the code is absolutely secure, but it is far better than it was. There's always more auditing that could be done. > pretty sound to me (ie: user 'nobody' can't really do a whole lot of > damage) so I'm wondering what it would take for me to run gopherd as > nobody - and better still, why people are running it as root. You can not only run gopherd as nobody (see -u) but you can also run it chroot, which is more than you get with Apache even. -- John