Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Solar Designer on Openwall

ScuttleMonkey posted more than 8 years ago | from the getting-easier-to-hack-together-great-things-all-the-time dept.

25

Demonfly writes to tell us that Solar Designer, who some would argue is one of the more respected security experts on the net, took the time to answer a few questions about the future of Openwall, the security enhanced GNU/Linux distro. From the interview: "There's real demand specifically for security-enhanced Linux systems. Linux is widespread, it has good hardware support, there's a lot of software available for it (including some commercial packages), and there are system administrators with specific Linux skills. Of course, OpenBSD and other *BSDs have their user bases, too - and people are working on the security of those systems. No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either."

cancel ×

25 comments

Sorry! There are no comments related to the filter you selected.

Oh come on! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14976769)

People who use silly monikers like "Solar Asshat" should grow up. How can you trust someone like that? Security Expert my ass, more like unispired hacker punk who needs to get a life and stop paying for sex.

Disagree (0, Flamebait)

maelstrom (638) | more than 8 years ago | (#14976786)

I think that SELinux has the potential to be a more secure kernel than many of the *BSDs.

Re:Disagree (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14977283)

Ha ha ha ha ha.

He he he he he.

Ho ho ho ho ho.

But seriously: go suck a big nigger-cock, will you?

Re:Disagree (0)

Anonymous Coward | more than 8 years ago | (#14977673)

Then you don't understand what SELinux is, or does.

Re:Disagree (1)

moro_666 (414422) | more than 8 years ago | (#14979142)

kernel security this and kernel security that. sure it gives you something, but it doesn't really protect you from the dumb administrators and even more dummy users.

  what i'd gladly see in the linux world, userspace transparent jailing (meaning i could run my applications without endangering the rest of the system). i could give the application read access where it needs to read, hide files that it doesn't need to know about, and not let it write a thing except the directory that it runs in. sure running another linux inside your linux does the trick, but the regular really can't do it, it requires root permissions and a nice bucket of time (that most of us don't really have in hand). ye, and memory access control wouldn't hurt either (meaning the app could only read and write from the memory that i allow it too, not what it thinks it should read/write). and if you've got a really nice application/preloadable_lib that already provides it, pleas be just kind enough to reply this in here.

  enhancing only the kernel isn't enough, we need sandboxes around our buggy apps. kernel doesn't really have an idea that a dummy php script could save an uploaded file and execute it with eval ( 'system (/tmp/foobar) '); or smth in the way. but a properly configured sandbox would know it and could prevent it.


  i have a perl script here , around 40 lines long, that takes a linux box down to halt from the "nobody" user account, within half an hour (tested both, 2.4 and 2.6 series). that's not what i'd define as security, do you ?

Re:Disagree (1)

booch (4157) | more than 8 years ago | (#14980837)

You should look into FreeBSD's systrace [onlamp.com] functionality. It looks a little easier to set up than a chroot jail, but is more fine-grained, and concerns more than just file access. As far as I know, Linux doesn't have anything like it though. (I wish it did!)

Re:Disagree (0)

Anonymous Coward | more than 8 years ago | (#14982506)

Perhaps you should read the site all the way to the bottom:

"While systrace has a vast number of functions and abilities, this should be enough to get you started. Experiment with the tool, look at some existing policies, and be sure to read section 2 of the man pages when you're in doubt. systrace is starting to spread to other operating systems; not only is it on OpenBSD, but NetBSD and Linux, with ports underway to Mac OS X and FreeBSD."

:)

Passing out. (0)

Anonymous Coward | more than 8 years ago | (#14976829)

"No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either.""

Damming with faint praise, are we?

simple marketing (0)

r00t (33219) | more than 8 years ago | (#14978172)

He has something to sell. He can't sell it if he admits that Linux security is perfect.

Re:simple marketing (0)

Anonymous Coward | more than 8 years ago | (#14980002)

Yep, so perfect there have been, what, a half-dozen Linux kernel vulnerabilities announced on the SecurityFocus mailing list so far this year?

Yep, sounds like perfection to me.

Ass.

the future. (1)

Gravis Zero (934156) | more than 8 years ago | (#14976837)

and shortly after a groundbreaking release it will be deem classified by the NSA for be a national security threat... to SELinux. :)

Solar Designer on Openwall (1, Insightful)

BigZaphod (12942) | more than 8 years ago | (#14976851)

The title of this news item had me thinking it was some kind of cool new transparent solar cell for houses or something. That'd be pretty cool. Too bad it's just about Linux...

Re:Solar Designer on Openwall (2, Funny)

funpet (836434) | more than 8 years ago | (#14978868)

No silly, the creator of the sun is sitting like Humpty Dumpty on an open wall.

Real question (4, Informative)

Spazmania (174582) | more than 8 years ago | (#14976872)

The real question is: When are you going to release a set of patches for Linux 2.6?

The openwall patches for 2.4 do the following three really useful things. Hardware compatibility is pushing me to 2.6 but I'd sure like to have the patches:

Non-executable stack (defeats most buffer-overflow attacks)
Restricted links and fifos in /tmp
Restricted /proc

got it already (2, Informative)

r00t (33219) | more than 8 years ago | (#14978196)

The non-executable stack is in 2.6.xx already. It's activated for normal executables that have been compiled with a recent compiler.

Rather than restricting /tmp, you can now use the unshare() system call with CLONE_NEWNS to give every user their own private /tmp. You can also just restrict /tmp via an LSM (Linux Security Module, like SE Linux or RSBAC)

You can restrict /proc with an LSM too.

Re:got it already (2, Interesting)

Spazmania (174582) | more than 8 years ago | (#14978919)

The non-executable stack is in 2.6.xx already.

Then why does the stacktest.c program from openwall succeed in simulating a buffer overflow in SuSE Enterprise 9 with kernel 2.6.15.6?

You can restrict /proc with an LSM too.

Yeah? Which?

Re:got it already (1)

r00t (33219) | more than 8 years ago | (#14985098)

You probably compiled stacktest.c with an old toolchain. Perhaps SuSE didn't enable the non-executable stack. Maybe your hardware doesn't support the NX bit.

SE Linux should do fine for restricting /proc.

Ask the good folks a sdf.lonestar.org about Linux. (1)

ivi (126837) | more than 8 years ago | (#14976884)


  I seem to recall reading that SDF -had- Linux, in a past life,
  but - after an intrusion - -now- use NetBSD or the like.

  They'd surely have something useful to say about Linux v BSD
  security.

  Does anybody know any of their admin's of the times to ask?

  FYI: sdf.lonestar.org is a long-time "free" Shell provider
            (I have NO pecuniary interest in their organisation)

ENGLISH MOTHERFUCKER (0, Troll)

mnemonic_ (164550) | more than 8 years ago | (#14977004)

I seem to recall reading that SDF -had- Linux, in a past life, but - after an intrusion - -now- use NetBSD or the like.

Talk about convoluted punctuation. Try to write more with words rather than symbols:

I seem to recall reading that SDF used Linux in a past life, but now uses NetBSD (or the like) after an intrusion.

Not that your post (or that sentence) is flawless beyond that, it's just over-punctuating seems to be spreading among poor writers; dashes in particular are popular. I'm just fighting the good fight to stop it.

Re:ENGLISH (0)

Anonymous Coward | more than 8 years ago | (#14979301)

Perhaps you need to brush up on your reading skills. See, the netziens have adopted several different ways to show tonal emphesis via a text-only medium, usually by surrounding a given word or phrase with asterisks, underscores, or in some cases, dashes.
Combine that with the fact that the dash is perfectly acceptable punctuation - it is used in a similar manner as a comma, except that it provides more emphesis - and it is perfectly clear what the GP meant.

Re:Ask the good folks a sdf.lonestar.org about Lin (0)

Anonymous Coward | more than 8 years ago | (#14978053)

I seem to recall reading that SDF -had- Linux, in a past life,
    but - after an intrusion - -now- use NetBSD or the like.


Correct. After numerous break-ins while running Linux, SDF switched to NetBSD and hasn't had their site compromised since. But that really doesn't prove much. It is obviously just anecdotal evidence and shouldn't be viewed as anything more. NetBSD worked better for SDF, OSX works better for some and believe it or not, Windows works better for others. So what.

Re:Ask the good folks a sdf.lonestar.org about Lin (0)

Anonymous Coward | more than 8 years ago | (#14982616)

"I had a lot of breakins on OpenBSD so I switched to Windows instead."

While such an example might indeed be true, it is entirely non-representative of fact. I.e the root password was "god" and after switching to Windows, the machine was moved onto an isolated LAN segment.

While in general it is true that OpenBSD is normally found to be rather secure out of the box and the opposite is true for Windows, it is largely decided by the skills of the person(s) managing the server.

"I had a lot of breakins on Linux, so I switched to Linux."

Hmm, that would be because I simply omitted the distro brand. I have found very secure Linux machines and daily-compromised NetBSD machines.

Blind arrogance is dissatisfying.

openwall (2, Interesting)

NynexNinja (379583) | more than 8 years ago | (#14977180)

I respect Solar Designer, even though at the time of the initial development of these patches, most of these features were available as seperate patches from various groups of hackers -- Solar Designer is credited for integrating them into one jumbo patch.. That being said, he never put out patches for Linux 2.6, maybe due to his own stubborness towards the difference between a "production" and "beta" kernel release -- who knows.

It is because of this that other projects were allowed to flourish, namely the grsec [grsecurity.net] jumbo patch. I think most people for the last several years have pretty much abandoned using (or even thinking of using) the openwall set of patches when other more feature-rich, updated patches exist and have existed for many years now.

Re:openwall (1)

in10d (555219) | more than 8 years ago | (#14979459)

> more feature-rich, updated patches exist
Yes.
That's why many (me included) use openwall patches when rolling 2.4 kernels.
Feature-rich means "may-be-buggy" (or at least harder to review and apply).

I think trust is the keyword for this situation.
I trust openwall.
Their patches work and do only a few simple but important things.
This is the Right Way in unix world.

Its not about the kernel (0)

Anonymous Coward | more than 8 years ago | (#14980284)

It's your servers, stupid.
FTP, HTTP, NTP... these are where intruders are going to come at you. The BEST security measure is really, really good code. Stuff like electricfence, W^X, and SSP (aka ProPolice) can only compliment poorly written code.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>