Received: with LISTAR (v1.0.0; list gopher); Tue, 22 Jan 2002 08:56:37 -0500 (EST)
Return-Path: <jgoerzen@complete.org>
Delivered-To: gopher@complete.org
Received: from christoph.complete.org (unknown [168.215.193.254])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "christoph.complete.org", Issuer CN "John Goerzen -- Root CA" (verified OK))
	by pi.glockenspiel.complete.org (Postfix) with ESMTP
	id 6A1053B80B; Tue, 22 Jan 2002 08:56:37 -0500 (EST)
Received: by christoph.complete.org (Postfix, from userid 1000)
	id 1AE871327B; Tue, 22 Jan 2002 08:56:37 -0500 (EST)
To: gopher@complete.org
Subject: [gopher] Re: Security issues in Gopher?
References: <DDDDD43B-0ED9-11D6-9A05-003065663F8C@golden.net>
From: John Goerzen <jgoerzen@complete.org>
Date: 22 Jan 2002 08:56:36 -0500
In-Reply-To: <DDDDD43B-0ED9-11D6-9A05-003065663F8C@golden.net>
Message-ID: <87pu42ebfv.fsf@complete.org>
Lines: 21
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp)
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-archive-position: 378
X-listar-version: Listar v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: jgoerzen@complete.org
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:listar@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Listar version 1.0.0
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher

Robert Hahn <rhahn@golden.net> writes:

> of Gopher, I'm wondering:  with the recent work that has gone into it, 
> have the programmers for the project made an effort to tackle security 
> on a proactive basis instead of a reactive one?  I would hardly be 
> unique by saying I don't want my system hacked. :)

Yes.  Several people have gone at the code removing the most onerous
of the buffer overflows -- hundreds of fixes in all.

This does not mean that the code is absolutely secure, but it is far
better than it was.  There's always more auditing that could be done.

> pretty sound to me (ie: user 'nobody' can't really do a whole lot of 
> damage) so I'm wondering what it would take for me to run gopherd as 
> nobody - and better still, why people are running it as root.

You can not only run gopherd as nobody (see -u) but you can also run
it chroot, which is more than you get with Apache even.

-- John