I agree with you. Sysadmins have ultimate responsibility for not only what they run, but how they run it.

That being said, usually a sysadmin is thinking of keeping people out of the box, maybe thinking about elevated privelege exploits, service exploits, etc.

Something like a reasonable ulimit setting though... I am not sure that a distro can call itself a "server operating system" if the developers who know the OS and build it, don't set some reasonable defaults.

To expect a sysadmin to cover every possible base is a little extreme, and more than a little impossible.

Most sysadmins I know, are so busy dealing with users, installing software, building servers all the time, that it can be hard to find the necessary time to nail every last detail on the different OS's they run.

This is more of what a security researcher does, then informs the OS dev crew of the problem, which gets solved in a patch, which ideally gets installed by the busy sysadmins.

I'm not sure that half the sysadmins even know what ulimit does, including "certified" admins. I know because I am a developer, but I have never adjusted it on an OS before, nor would I even think of it if I were a sysadmin.

The guy who wrote the article is a security researcher, and he didn't know that there was no reasonable default. Expecting the average sysadmin to know this is a little much.

my 2 cents...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/308/31156#31156