Perry writes: >Casper Dik says: >> A number of SunOS ones: divide by zero, imul, idiv emulation (two ... > >Compare this to the almost weekly reports of security bugs at user >level, and I believe my point is proven. Kernel security bugs show up >maybe once every year or two -- none that I know of has appeared in >4.1.X SunOS, and its been running for several years now. There ARE still bugs in the SunOS 4.1.X kernel. I'm also certain that there are plenty more unknown bugs in the kernel. However... >Just looking at SunOS, there have been three sendmail bugs, some rdist >bugs, some bugs with SUID LD_LIBRARY_PATH handling, etc, etc. One >shows up every few months. Point taken. The number of user level bugs far outweighs the kernel bugs. Many of these recent bugs have also been shown to be simple bad design - bugs in programs (or parts of programs) that never needed their special privilages anyway. >I agree that one must keep track of the bugs out there, BUT if one is >running a public access system that one expects to be regularly >attacked, its probably better to make the system inherently safe by >removing the places that security bugs could crop up. Good examples of this are having very good backup strategies (that take into account the possibility of something being modified and hence backed up); decent logging, preferably to a hard copy or another system; and removal of all unneeded services. James -- James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 0223 402499 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.