From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Add murmur. Date: Mon, 13 Feb 2017 15:15:51 +0100 Message-ID: <87inoedvmw.fsf@gnu.org> References: <20170209182030.ngn2dsdfbzsmymdj@wasp> <87efz7asit.fsf@gnu.org> <20170210213959.on6psfta6jcbjv2b@wasp> <877f4x1zle.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170210221536.iv5rktzx43b6xddv@wasp> <87wpcw3iks.fsf@gnu.org> <20170211143934.oo5loexp4pbpovpk@wasp> <87y3xbwmvi.fsf@gnu.org> <20170212135319.4exfnaq3oov3p6de@wasp> <20170212140234.xno3tzpzgvndirt3@wasp> <05c09e9a-eda3-d41e-b02c-b7d52ba1a5c5@crazy-compilers.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55418) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdHQ5-0005hn-Gc for guix-devel@gnu.org; Mon, 13 Feb 2017 09:15:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdHQ2-0001Km-8l for guix-devel@gnu.org; Mon, 13 Feb 2017 09:15:57 -0500 In-Reply-To: (pelzflorian@pelzflorian.de's message of "Sun, 12 Feb 2017 18:42:42 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: "pelzflorian (Florian Pelz)" Cc: guix-devel@gnu.org "pelzflorian (Florian Pelz)" skribis: > On 02/12/2017 06:01 PM, Hartmut Goebel wrote: >> Am 12.02.2017 um 15:37 schrieb David Craven: >>> I think that it is a minor >>> issue at best, since anything that isn't accessible over the network or= running >>> with any sort of privileges is not very useful. >>=20 >> I strongly disagree! >>=20 >> Every piece of software available on the system may the intruder. The >> server may not be running so it can not be attacked in the first place. >> But if an intruder gains (unprivileged) access to the system, he might >> be able to start that server software. Then he might use it for >> privilege escalation (if the server software is vulnerable), as a >> back-channel or for attacking further systems. >>=20 > > An attacker with enough privileges to run Murmur has enough privileges > to install Murmur anyway (perhaps but not necessarily by using Guix). Definitely. And they might just as well run software that=E2=80=99s more u= seful for their purposes, like a botnet server. :-) Ludo=E2=80=99.