Feeds

back to article Linux distros fix kernel terminal root-hole bug

Linux admins need to get busy patching, as a newly discovered bug has emerged in the kernel's tty handling – and it lets logged-in users crash the system, gain root privileges, or otherwise modify and access data they shouldn't. This memory corruption flaw is certainly nothing like OpenSSL's remotely exploitable Heartbleed – CVE …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Definition of "local"

It would appear that "local" doesn't just include someone sitting in front of the screen, but rather anyone who can gain shell access remotely, if this C code is anything to go by.

Nasty? Most definitely. Cue the Windows fans now saying "that's what you get for using free software", who by now are only just getting used to the idea that similarly nasty bugs affecting versions of Windows from XP to 8.1 are being discovered now.

At least now I know of it, I can have this patched within the hour, I don't have to wait for upstream.

7
3
Silver badge

In the Microsoft World

The patch would be ready today, but you cannot have it until Tuesday.

9
3
Silver badge

Re: In the Microsoft World

I'll gladly pay you Tuesday for a patch today.

10
1
Silver badge

Re: In the Microsoft World

The patch would be ready today, but you cannot have it until Tuesday.

Or ever if it's Windows 2000/XP.

I can still apply any patches I like to my old Slackware 3.6 installation (if I had one, I have the media for it though), while no one's there to write the patch for me, there's nothing stopping me writing my own and applying it other than my own patch-writing skills. This is why I choose open-source solutions over proprietary ones where possible.

I suspect while us Windows Vista, 7 and 8.x users will be updating, the Windows XP users will be left to go it alone.

10
3
Anonymous Coward

Re: Definition of "local"

Linux bug? Wow, I didn't anticipate the Linux fans saying, "Cue the Windows fans gloating" (can dish it out but not take it, huh?) or pulling the old "ButbutbutWindows ..." straw man the minute I saw the headline. Oh - yes I did. And you guys never fail to live down to expectations :)

11
22
Anonymous Coward

Re: In the Microsoft World

Just to point out to those harping on about waiting until patch Tuesday - previous studies have shown fewer 'days at risk' and on average a faster patch time for Microsoft OSs compared to enterprise Linux distributions. I am not aware of any that show the reverse.

4
20
Anonymous Coward

Re: In the Microsoft World

"Just to point out to those harping on about waiting until patch Tuesday - previous studies have shown fewer 'days at risk' and on average a faster patch time for Microsoft OSs compared to enterprise Linux distributions. I am not aware of any that show the reverse."

Got a link?

15
0
Silver badge
Thumb Up

Re: Never mind the facts!

Let's fill this page with MS hate then we can all pretend this Linux vulnerability never happened.

14
16

Re: Never mind the facts!

@sabroni There is far too much truth in that statement.

I think it's far too easy to take the moral high ground with Linux though based on relatively few serious exploits over the years it's probably partly justified. But just like windows if you don't patch it.....

I'm a big Linux advocate but I also an happy to admit that there are from time to time holes in it. But I'd still rather take my chances with it over windows. In fact I'm off to quickly patch my machines now....

9
0
Silver badge
FAIL

Re: Definition of "local"

It would appear that "local" doesn't just include someone sitting in front of the screen, but rather anyone who can gain shell access remotely, if this C code is anything to go by.

A local user is someone who has unprivileged access to run code on a computer. A remote user is someone who has access to provide inputs to a program running on that computer.

This isn't new.

7
1
Silver badge

Re: In the Microsoft World

>>"The patch would be ready today, but you cannot have it until Tuesday."

if($bugPlatform == 'Windows') {

echo($WindowsCriticism);

} else {

echo($WindowsCriticism);

}

The bug also wouldn't be detailed as a rule because (with the exception of very large customers), Windows is closed source, meaning the world wouldn''t know the details. Open Source's chief advantage is that it lets you verify when you don't trust the vendor and it lets you fork the code if you're not happy with them / they abandon it.

With bugs, Open Source is a mixed bag. Some people seem to think it is a magical panacaea.

Patch Tuesday is done because it helps enterprise customers manage updates, btw.

13
0
Silver badge

Re: Definition of "local"

>>"A local user is someone who has unprivileged access to run code on a computer. A remote user is someone who has access to provide inputs to a program running on that computer."

I think they were just clearing up that "local user" didn't mean that the person had to be sitting at the machine - they could still be half-way around the world. Obviously most people with Linux experience will understand what local user means in this context, but some will still think if a bug allows a local user to do something, it was meant you had to have access to the machine. You don't.

7
0
Anonymous Coward

Re: In the Microsoft World

"I'll gladly pay you Tuesday for a patch today."

Untrue. For critical fixes MS will push them out-of-band.

As F/OSS can't win on merit, they have to keep trying the PR FUD.

3
15

Re: In the Microsoft World

And the identity of the body funding the study?

1
0
Silver badge

Re: Definition of "local"

FYI there is no such thing as a "local" user in the unix/linux world, Reg is just using this layman's term for the benefit of those more familiar with other systems eg. Windows. And *ix came from the server end, so "sitting in front of the system" was never really a thing.

Okay there is a feint definition - "local" can mean a user listed in the the local /etc/passwd file, as opposed to LDAP or similar.

2
0
Silver badge

Re: Never mind the facts!

I patched it before commenting.

Not that anyone but me knows HOW to get a shell here..

2
0

Re: Definition of "local"

There's no real fixed definition, Jim59. Someone can also speak about "local" in terms of "local access" to the hardware under the OS itself which is fairly common with (shared) workstations since decades and since last decade even more so with all the Unix derivatives and improvements around. Local access which by the way would change the whole security context right there and then. Perhaps a better term in this article would be "users able to start-up a local shell process". This is not that much different from starting some sshd or httpd subprocess or thread by accessing some port. Although shells are more powerful processes with more possibilities than most other user services. By design of course. Perhaps on a large shared hosting provider, one might have some different security concerns and expectations than on private platforms. For that reason the impact factor of this bug doesn't seem that high but still important enough to think about though. Briefly.

1
0
Bronze badge
FAIL

Re: Never mind the facts!

Let's fill this page with MS hate then we can all pretend this Linux vulnerability never happened.

Which I am sorry to say, is a bad attitude.

Someone fucked up.

Period.

Fix the goddammed bug.

There only three things that matter to me:

1) When did this get introduced (so we have some idea of how long we have been vulnerable)

2) When was it reported

3) When was the fix released.

Sometimes the Linux community needs to 'take its medicine', just like those who worship at the altar of Redmond.

5
1

Linux devs hides security issues

http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

"...The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles...."

"...The Linux kernel developers are notorious for not documenting security fixes. Here's an instance from a couple weeks ago. A security issue was fixed, but it wasn't documented as such, which simply leaves people guessing. Brad Spengler has been very vocal about this issue, and has found many, many patches that were pushed to the mainline that were to fix security vulnerabilities, yet weren't documented as security fixes. He's not the only one, but he has a fairly long track record of actually discovering vulnerabilities in the Linux kernel (as well as the creator of the grsecurity patchset)...."

4
0
Silver badge

Re: In the Microsoft World

"As F/OSS can't win on merit, they have to keep trying the PR FUD."

Oh, the irony...

5
0
Anonymous Coward

Re: In the Microsoft World

"Oh, the irony..."

And the irony intake doubles when you consider the first sentence regarding critical updates in that post was entirely correct. Nothing like losing your audience by starting with the facts and then smothering them with a thick layer of crap.

1
1

Re: Definition of "local"

Nice to know you can patch it within the hour. By the way, the fix was committed to the public kernel source 12 days ago, and Ubuntu had the fix 10 days ago.

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4291086b1f081b869c6d79e5b7441633dc3ace00

The CVE number was allocated last December, and that timing roughly corresponds with a public discussion about potential race conditions in the relevant code:

http://article.gmane.org/gmane.linux.kernel/1610783

4
0
Facepalm

Re: Linux devs hides security issues

"This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel"

What's stopping them subscribing to the Linux kernel mailing list.

https://lkml.org/

1
1

Re: Definition of "local"

"The CVE number was allocated last December, and that timing roughly corresponds with a public discussion about potential race conditions in the relevant code:"

How has this been around since 2009?

'Pseudo-terminal buffer bug from 2009 discovered', theregister

"I discovered that kernel 3.12 has broken terminal handling"

http://article.gmane.org/gmane.linux.kernel/1610783

2
0
Bronze badge

Re: In the Microsoft World

OK,

C

U

Next

Tuesday

0
1

Re: In the Microsoft World

Got a link?

http://arstechnica.com/apple/2008/04/report-microsoft-fastest-to-issue-os-patches-sun-slowest/

2
3
Anonymous Coward

Re: In the Microsoft World

"Got a link?"

http://www.informationweek.com/controversial-report-finds-windows-more-secure-than-linux/d/d-id/1031061?

http://www.computerworlduk.com/news/security/3629/microsoft-we-patch-faster-than-apple-novell-and-red-hat/

1
5
Happy

Re: In the Microsoft World

"The patch would be ready today, but you cannot have it until Tuesday."

Which at this time of the month is nearly four weeks away.

0
0
Silver badge

Re: that's what you get for using free software

That's what you get for not using a Clearpath mainframe with OS2200 installed.

If you want a proper job doing you need to use a proper computer.

Tsk!

0
0
Silver badge

Re: In the Microsoft World

http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

This much more modern link would seem to back up what you are saying until you realize its coming from Microsoft shill zdnet and they are going off a dataset of only 2 zero days for either OS. The more interesting paragraph is this one.

"The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."

2
0
Thumb Down

Re: In the Microsoft World

"OK,

C

U

Next

Tuesday"

How boringly crass of you.

1
0
Bronze badge

This wouldn't have happened...

...if you'd been using the Sinclair Spectrum

10
0

Re: This wouldn't have happened...

No it crashed when you inserted the joystick adapter instead..

1
0
Silver badge

Re: This wouldn't have happened...

No it crashed when you inserted the joystick adapter instead..

You got as far as that?

1
0
Silver badge
FAIL

Re: This wouldn't have happened...

Pah we know Speecy's are rubbish and that the BBC MicroB is a proper home computer....

(Yes I was a speccy owner, but I have to provide the same load of juvenile bollocks still spouted today, just to keep us on track).

9
0
Silver badge

Don't forget the design

It's not simply about bugs - All humans make mistakes after all.

The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc.

Another attack vector is done by low level access to GPU I/O. Unfortunately, Unix isn't totally immune to bugs here, as X needs to run with root privs (and even if access was simply granted to the I/O, it would still often be enough to root a system

However, on servers, you simply don't run a GUI. Try doing *that* with Windows!

An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc.

So, all that code is stripped out, as is any backwards-compatibility code for previous versions oof the OS where I don't require that either.

Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck.

4
4
LDS
Silver badge

Re: Don't forget the design

"on servers, you simply don't run a GUI. Try doing *that* with Windows!"

Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995.

"I run my servers with everything that is unused stripped ... raid controllers..."

Strange kind of server. with no fault tolerance. Is the one you're running in your bedroom?

"Can you do that on Windows?"

Sure. You just have to learn how to do that. BTW: drivers are kernel modules in Windows. It looks you have no clue about how Windows is designed and works.

2
1
Bronze badge

Re: Don't forget the design

> "However, on servers, you simply don't run a GUI. Try doing *that* with Windows!"

Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot.

No more GUI.

At the end of the day, any non trivial software product will contain bugs, regardless of if it's open or closed source.

2
1
Silver badge

Re: Don't forget the design

>>"The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc."

Everyone else has pointed out to you that you can run Windows without a GUI since 2008, so I'll cover the error about thinking GNU/Linux is more secure by design. Like your ignorance about GUIs on Windows, it appears your knowledge here also dates from pre-vista.

Windows vs. UNIX permissions

Windows ACLs are substantially more powerful than standard GNU/Linux permissions. They're also more capable than the ACLs that you can install on GNU/Linux but which no-one does. If your immediate reaction is to disagree, please read the link above to a previous discussion.

>>"An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc."

Yeah, I used to do the same on my home computers. Please do not tell me you are running a professional service on custom-hacked around installs and are out of the distros official packages and updates. What if you leave and your replacement hooks up a SCSI drive or sticks in a USB device and you've removed the modules? What if some kernel update comes down and you don't have the time to start recompiling everything (or do you compile on another machine and copy over binaries?) This cannot be a production machine - please! If I found one of my sysadmins had been manually fiddling around with the kernel of one of our CentOS boxes, I would roast them alive.

>>"Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck."

Well you can uninstall any drivers you don't need if you really want to. It's not going to save you any memory or processor load because they're dynamically loaded as needed just the same as kernel modules on Linux. In neither case are they going to be a security vulnerability if they're not being executed so if you're doing this for security reasons on GNU/Linux, then not only do you not understand how Windows works, you don't fully understand how Linux works, either. A security vulnerability in a SCSI module is not going to be an issue if that module is never loaded. And your server isn't going to load that without a reason. The only gain of removing it is reducing the size of your kernel by about forty bytes. (basically you're removing an if clause that contains a call to load module that will never be triggered).

4
3
Anonymous Coward

Re: Don't forget the design

"Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot."

Except that no GUI is the default for Windows Server, so normally you wouldnt have to remove it anyway.

3
0
Bronze badge

Re: Don't forget the design

"Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995."

I'm not a Windows Server person, but doesn't that option simply provide you with a graphically windowed command prompt instead of using Explorer? It's not running Windows without a GUI. It's running a terminal as the shell for the GUI. Totally different thing.

Happy to be corrected, but the screenshots of Server Core I saw look like a GUI (albeit a lame one) to me.

1
0

This post has been deleted by its author

Anonymous Coward

Re: Don't forget the design

> "However, on servers, you simply don't run a GUI. Try doing *that* with Windows!"

Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot.

No more GUI.

now turn it back on without your GUI Server Manager tool ;)

0
0
Anonymous Coward

Re: Don't forget the design

"doesn't that option simply provide you with a graphically windowed command prompt instead of using Explorer"

It provides you with a text only command prompt terminal windows on a blue background. No GUI whatsoever.

1
1
Anonymous Coward

Re: Don't forget the design

"Windows ACLs are substantially more powerful than standard GNU/Linux permissions."

You forgot to mention constrained delegation too. In Windows I can give an account ONLY the rights it needs to do something above a standard user. UNIX / Linux has the really insecure kludge of having to run SUDO - a tool which MUST execute as UID 0 / root to do a similar thing. So you always have to run SUDO code as root first to then drop down to a lower level - very bad design.

2
0

Re: Don't forget the design

Even if you remove the "gui", your just removing the frontend management programs, the actual graphics stack is all still there and used to display a command prompt in a movable resizable window. Your not truly running without a gui, your just running with a crippled one. It would be like running X11 on linux with a basic window manager and then only using it to run xterm.

2
1

Re: Don't forget the design

The problem is that a complex permissions system means that many people don't know how to use it, and most of those that do can't be bothered to do so.

For most use cases the standard unix permissions are not only more than adequate, they are also easy to understand and easy to manage. There's a reason that very few people enable the more advanced ACLs.

2
1
Silver badge
FAIL

Re: Don't forget the design

"

Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995.
"

Oh, they've finally caught up!

Ok, my mistake, and you are right, I fortunately haven't had to deal with windows servers since before 2008, so I take that one back if it's true, though I bet it's more of a 'reduced GUI' than true non-GUI.

The GUI was far too entwined when I last used windows

"I run my servers with everything that is unused stripped ... raid controllers..."

Strange kind of server. with no fault tolerance. Is the one you're running in your bedroom?"

A veiled insult! Nice one!

But no, not at all. Well, actually, yes, to the servers in my house, but I'm referring to the proper commercial servers.

I'd love for you to explain how keeping code for various different different raid controllers that I don't use helps with fault tolerance. I *did* say *unused* stuff, didn't I?

"Can you do that on Windows?"

Sure. You just have to learn how to do that. BTW: drivers are kernel modules in Windows. It looks you have no clue about how Windows is designed and works.

Well, I did mention .SYS files briefly, but yer, I screwed up there too.

Thanks for the reply.This posts icon is directed at me

1
3
Silver badge
Happy

Re: Don't forget the design

>>"The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc."

Everyone else has pointed out to you that you can run Windows without a GUI since 2008, so I'll cover the error about thinking GNU/Linux is more secure by design. Like your ignorance about GUIs on Windows, it appears your knowledge here also dates from pre-vista.

Yes, I admit I didn't know that, but as has been pointed out already, that option produces a reduced interface, it doesn't remove the whole GUI system. Also, how do you do remote administration in that environment? Do you still have to remote desktop/vnc etc. ?

Windows vs. UNIX permissions

Windows ACLs are substantially more powerful than standard GNU/Linux permissions. They're also more capable than the ACLs that you can install on GNU/Linux but which no-one does. If your immediate reaction is to disagree, please read the link above to a previous discussion.

Firstly, coming from a VMS background, I agree that standard Unix permissions are not all that powerful. But do you want to compare that to win3.1? Just as relevant.

Secondly, I don't use Linux. I haven't used Linux in over 15 years (apart from the Android tablets), but saying their ACL's are too complicated is as stupid as people saying that all Windows users do everything as Administrator, because the alternative is too complicated.

Thirdly, the article was about bugs in things that already run with full privileges, so banging on about ACLs and file permissions is only vaguely related to the discussion in hand.

But, whatever, the ACLs and capabilities sandbox, along with process 'jailing', on the systems I use are more than adequate.

>>"An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc."

Yeah, I used to do the same on my home computers. Please do not tell me you are running a professional service on custom-hacked around installs and are out of the distros official packages and updates. What if you leave and your replacement hooks up a SCSI drive or sticks in a USB device and you've removed the modules? What if some kernel update comes down and you don't have the time to start recompiling everything (or do you compile on another machine and copy over binaries?) This cannot be a production machine - please! If I found one of my sysadmins had been manually fiddling around with the kernel of one of our CentOS boxes, I would roast them alive.

I'm pleased you know your limits. Too many people go out of their depth in these matters, and cause more problems.

Of course I run all the production servers on tuned kernels - all competent people do. Attempting to demonise it by calling it 'custom-hacked' is either an attempt to make it look a bad thing, or you really aren't all that knowledgeable on kernel design.

Having only a few hundred thousand users a day, these machines are obviously far less used than Facebook/Google etc., but do you really think they run their systems on generic kernels? Or do you think only these big companies employ people capable of kernel tuning?

As I say, I'm glad you know your limits, and whilst I currently have no responsibility for hiring/firing, I'd be less than pleased if one of my staff had similar shortcomings.

I know not every one has the time organisational luxury to do it, but yes, most of the time I compile from source. There are no binary installed blobs here. And whilst I don't do full compiles on production boxes, it is quite possible to do it at nice +20 without any significant performance impact on live services.

As for new hardware etc., as you've already mentioned yourself (but conveniently seem to forget)...... KERNEL MODULES.

<troll>Typical Microsoft attitude - overcome efficiency shortcomings by throwing more CPU/RAM at the problem</troll>

>>"Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck."

Well you can uninstall any drivers you don't need if you really want to. It's not going to save you any memory or processor load because they're dynamically loaded as needed just the same as kernel modules on Linux. In neither case are they going to be a security vulnerability if they're not being executed so if you're doing this for security reasons on GNU/Linux, then not only do you not understand how Windows works, you don't fully understand how Linux works, either. A security vulnerability in a SCSI module is not going to be an issue if that module is never loaded. And your server isn't going to load that without a reason. The only gain of removing it is reducing the size of your kernel by about forty bytes. (basically you're removing an if clause that contains a call to load module that will never be triggered).

Again, I apologise about windows kernel modules. I really though that there was still a hell of a lot that to remain within the kernel directly, but if you're saying otherwise, I'm not in a position to argue.

And again, not a Linux user. However, the systems I use tend to have a lot of stuff contained within the main kernel at default - it's more efficient that way, and less of a security risk if kernel module loading is disabled, or restricted to console control etc.

There is also no point having something as a kernel module if it always needs to be loaded. You can strip your core kernel of stuff you'll never use, and add stuff you will always use.

Still, this is all largely tangential to the original point that windows machines have been rooted by malicious media files. This wouldn't happen on any sane system.

Do current windows versions still have explorer embedded in the kernel?

I was largely intentionally trolling in my original post (I can't always help it when it comes to windows/linux;apple - they are all easily flammable targets), but it seems my ignorance of Windows systems was my downfall. Still, thanks for replying with so many fallacies and inaccuracies that I don't now feel quite as much of a moron.

Have a nice day!

1
2
Silver badge

Re: Don't forget the design

Let's deal with this first: "I was largely intentionally trolling in my original post".

That is not helpful and is actually destructive. Especially when you admit you don't even know the facts.

>>"Yes, I admit I didn't know that, but as has been pointed out already, that option produces a reduced interface, it doesn't remove the whole GUI system"

You were wrong on this. Several people pointed it out. One person claimed otherwise. You self-admittedly haven't any direct knowledge but you chose to believe the one person who agreed with you. That is called confirmation bias. They were wrong as well - they wrote that the entire graphics stack is still there. What you see if plug a monitor into a Server Core instance is a terminal window, there's not a menu, there's not a single GUI tool, it's a terminal window. I have motherboards with a BIOS from fifteen years ago with more of a GUI than that.

The other poster (who though they didn't know what they were talking about and were a single dissenting voice, you chose to believe over the rest of us), claimed that the entire graphics stack was still present. You could have easily checked this if you cared about actually being right, as opposed to defending your position. A very basic Server 2008 install running as Server Core will use about 180MB of memory footprint as opposed to 310MB for a version with the GUI configured with the exact same roles. Does that sound like it's doing nothing other than just not displaying a few menu options? It doesn't require all the same updates (only needing a subset as the GUI ones aren't needed). A base install of Server Core takes 1.6GB vs. 7.6GB for the GUI'd version - again, configured with exactly the same roles. Again, does that sound like it's nothing other than just turning off some GUI tools? It also runs fewer services so there's a small attack surface for malicious software / attacks.

So when a bunch of people with experience / expertise tell you something and one anonymous coward makes an unsupported statement otherwise, don't seize on their post, turn round to everyone else and effectively say 'ha! i wasn't wrong after all". Because you're reason for choosing to believe that poster over everyone else is transparant. Better, spend two minutes looking up some facts.

>>"Also, how do you do remote administration in that environment? Do you still have to remote desktop/vnc etc. ?"

I use the above questions to suggest that you really shouldn't be arguing about what Windows can and cannot do as you clearly have very little knowledge about this area. I'm happy to answer your questions, however.

If you think about it for a moment, btw. you'll realize that it cannot be VNC as VNC is simply a way of relaying the normal GUI / desktop to a remote machine and transmitting mouse / keyboard movements to it. Without a GUI in the first place, this could not be the way it works!

Typically you would use Server Manager, which is a remote server management tool for Windows Server and supercedes Remote Desktop. It doesn't work by giving you a remote desktop view, but instead provides tools for managing services / running scripts / configuring the remote machine. Well, multiple remote machines, actually. You'll have a sysadmin there running Server Manager, and they'll flick between different remote machines.

Here: http://technet.microsoft.com/en-us/library/cc732131%28v=WS.10%29.aspx

Note, command line / Powershell is a fundamental part of Windows Server. There's no part of the OS that isn't exposed to Powershell / configurable by it. So a lot of the time, if you have the knowledge or some available scripts, you can just use a command line to manage it.

>>"Firstly, coming from a VMS background, I agree that standard Unix permissions are not all that powerful. But do you want to compare that to win3.1? Just as relevant."

No I don't, because it's not just as relevant. You wrote about "the way unix (and unix like) systems are designed"and compared it to "Windows all or nothing design". I've pointed out that Windows isn't all or nothing and I compared it to UNIX permissions because that's what you compared it to.

Also, I never said that UNIX permissions are not powerful. They are. I only wrote that Windows was not an "all or nothing" system and that you appear to have no knowledge of this on Windows since before Vista.

>>"I haven't used Linux in over 15 years (apart from the Android tablets), but saying their ACL's are too complicated is as stupid as people saying that all Windows users do everything as Administrator, because the alternative is too complicated."

Nowhere did I say that ACLs on GNU/Linux are too complicated. Nor do I agree that they are. Whatever you're trying to argue against, it's nothing that I said. Indeed, very few people even actually use the ACLs on GNU/Linux. They stick with the traditional UNIX permissions system which are not access control lists.

Thirdly, the article was about bugs in things that already run with full privileges, so banging on about ACLs and file permissions is only vaguely related to the discussion in hand.

Again, you yourself brough this up. I just pointed out that you were wrong. Don't blame me for correcting you, or try to say something isn't relevant after you yourself were the one that raised it, just because you no longer find is supports your case.

>>"I'm pleased you know your limits...Of course I run all the production servers on tuned kernels"

Then I'm sorry to see that you don't know yours. You custom compile kernels on your machines introducing the possibility of hard to diagnose bugs, making it extremely difficult for someone to step into your role when needed and probably rendering any enterprise support agreements you have null and void. You say you haven't used GNU/Linux for 15 years so perhaps on the VMS world, things are different. But we're talking about Linux here so perhaps, like on Windows, you shouldn't pronounce authoritatively on this subject.

>>"all competent people do"

Way to insult all the skilled GNU/Linux sysadmins out there who don't custom compile the kernel on their production machines (and I work with a number of such people, btw).

2
0

Page:

This topic is closed for new posts.