Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Holes Draw Linux Developers' Ire

timothy posted more than 9 years ago | from the quick-draw-me-an-ire dept.

Security 477

jd writes "In what looks to be a split that could potentially undermine efforts to assure people that Linux is secure and stable, the developers of the GRSecurity kit and RSBAC are getting increasingly angry over security holes in Linux and the design of the Linux Security Modules. LWN has published a short article by Brad Spengler, the guy behind GRSecurity and it has stoked up a fierce storm, with claims of critical patches being ignored, good security practices being ignored for political reasons, etc. Regardless of the merits of the case by either side, this needs to be aired and examined before it becomes more of a problem. Especially in light of the recent kernel vulnerability debated on Slashdot."

cancel ×

477 comments

Sorry! There are no comments related to the filter you selected.

Time for (even) better security? (4, Insightful)

moz25 (262020) | more than 9 years ago | (#11308973)

Given that I'm getting lousy uptimes on my Linux servers because of the mandatory kernel upgrades, I certainly welcome a (constructive) critical look at Linux kernel security.

Re:Time for (even) better security? (1, Insightful)

mirko (198274) | more than 9 years ago | (#11308985)

uptime is not an issue, especially if it's spoiled by this kind of maintenance.
Because Linux servers are cheap, just load balance your charge between 2 or more of these and you'll still have the availability which is actually what you need.

Re:Time for (even) better security? (4, Insightful)

Wudbaer (48473) | more than 9 years ago | (#11308993)

Hey, great argument ! So Linux doesn't even need to be stable, you just can string together several boxes because it is sooo cheap. Yeah right.

Re:Time for (even) better security? (1)

mirko (198274) | more than 9 years ago | (#11309097)

Please, don't be ridiculous :
I did not say this, I answered to the grand parent (who was whinning about server uptime, *not* service availability which is *what* really counts) that if he HAD to update his kernel fest it'd lose hime visitors, he could still hook several machines together, that's why clusters have been invented for.

Re:Time for (even) better security? (4, Informative)

krymsin01 (700838) | more than 9 years ago | (#11309099)

I may have missed the point of the GP post, but what I got from it is that if you have a couple servers runing linux, with load balancing between them, you can take on of them offline, patch it the kernel, recompile, then do the other. I don't think anything was said about not being stable.

Re:Time for (even) better security? (5, Interesting)

Wudbaer (48473) | more than 9 years ago | (#11309161)

I know that it was meant that way, and I admit that it basically is right. What was irking me about the GP post was the general mindset: "Why do we need improved security and/or longer patch cycles if we just can use a workaround." Similar sentiments come up in other posts in this thread "Oh, it's just a DoS attack, there are worse things" "Oh, don't you have a firewall" etc.pp.

Either you aim for excellence or you don't. Getting this right is a pretty hard thing, but if you start making excuses and getting into workarounds you end up some years down where MS is today: A nightmare of workarounds and makeshift solutions barely held together with pieces of string and duct tape. They also started out with making a compromise here and a compromise there and saying "Oh, this won't matter much, let's do this later". You see where it got them.

Trying to get the code right is an important part of this. If you don't get it right the first time, fine, then review the code and patch it, but do it right. Not just one bug today, and another one of the same kind tomorrow, and the third the next week.

If someone knowledgeable is able to find a series of similar bugs in a widely used and widely reviewed piece of code like the Linux kernel in a couple if minutes and if bugs are mostly fixed in a piecemeal fashion getting us to the kernel security bug of the day (we are now almost at the kernel bug of the week already) the Linux community should say "Hey, could we do something better ?" instead of saying "Doesn't matter, use a workaround and there are worse vulnerabilities anyway, so what ?"

Re:Time for (even) better security? (4, Insightful)

jedidiah (1196) | more than 9 years ago | (#11309219)

Ebay was running solaris and ended up going down in a ball of flames because they were too obtstinant to apply the vendor recommended updates. This isn't a problem limited to Linux.

Don't be an idiot. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11309022)

There are tons of services that you can't just pop a couple machines together and tada, they are loadbalanced. Just because its easy for simple things like http and smtp, doesn't mean its easy for everything.

Re:Time for (even) better security? (4, Interesting)

thogard (43403) | more than 9 years ago | (#11309034)

I've always found an uptime of more than a few months tends to mean that sysadmin skills are seriously lacking. Sure a few systems can run for years but most real world systems need patches and changes and proper testing means a "reboot test" just to verify that changes to the live system are in non volatile. If the system requirements for a system have changed in the last year and the box hasn't had a full test, then there is a major problem.

Re:Time for (even) better security? (4, Insightful)

DjReagan (143826) | more than 9 years ago | (#11309046)

If you can't work out ifyour changes are volatile or not without rebooting the system then I suggest that it might be YOUR sysadmin skills that are lacking.

Personally, I make sure I know the answers to that sort of question before ANY changes are made to my production systems.

Re:Time for (even) better security? (4, Insightful)

EasyTarget (43516) | more than 9 years ago | (#11309084)

Humm, and how do you react when you come in to the office after a long weekend and find the server is locked in a panic cycle, because some change you made months ago means it won't boot properly? No doubt you blame everybody; developers, documenters, compilers, colleagues, god etc.. But the real reason it failed is because you did not test properly.

Personally, I know my servers can survive a reboot, because I test them for that. If I make any serious change that may affect startup I assume it will fail, and then set out to prove myself wrong.

PS: I wish I did not have to.

Re:Time for (even) better security? (4, Insightful)

router (28432) | more than 9 years ago | (#11309121)

He probably has a pre-production environment. That's what you do when you want to know how your changes will affect production. That way you don't fsck with production. I think he stated that above. Some of us don't fsck around. If you wanted to be really paranoid, you would reboot first to make sure nobody else changed anything that would fail a reboot, then make your changes, test to be sure a reboot is really necessary, then reboot again anyway to satisfy your paranoia. In pre-prod. But that's if you're paranoid. And work with a team. And have pre-prod. Maybe I'm crazy.

andy

Re:Time for (even) better security? (1)

georgewilliamherbert (211790) | more than 9 years ago | (#11309221)

He probably has a pre-production environment.
Good for him, but that doesn't mean that you know with any reasonable degree of certainty that the production environment is necessarily in a boot-clean-to-normal-operation configuration after a given change without actually doing the reboot.

It is nigh-on impractical to guarantee that there has been no deviation or differnence between preproduction / staging envrionment and the live production environment which would cause problems like that.

There are good reasons for manintenance windows and failover / loadbalanced systems. They let you test to be confident that you haven't busted something you don't realize (yet), before it bites you in the ass in production during the middle of a busy day...

Re:Time for (even) better security? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#11309125)

Personally, I know my servers can survive a reboot, because I test them for that. If I make any serious change that may affect startup I assume it will fail, and then set out to prove myself wrong.

What change would you ever be making that affects startup? Especially if it's a non-shell server, the chances of you needing to change something that affects bootup is miniscule. My Solaris servers have been running for 2 years straight. I don't bother to upgrade the kernel because: a) It's running stable, b) I don't need any of the bug fixes or new features, see "a", c) it's just a DNS server so no users log into it to exploit any local holes. I keep BIND up to date and that's it.

Re:Time for (even) better security? (1)

R.Caley (126968) | more than 9 years ago | (#11309197)

Personally, I make sure I know the answers to that sort of question before ANY changes are made to my production systems.

The time and manpower required to keep an exact mirror of each production system may be larger than the time and effort needed to test the production system.

Additionally, every production machine should be rebooted now and again to make sure it will come back in case of an unplanned reboot.Or, have you never had a machine which went down and then refused to come back because of a hardware issue (or just becaue you left a CD in the drive).

Re:Time for (even) better security? (4, Funny)

PacoTaco (577292) | more than 9 years ago | (#11309091)

I've always found an uptime of more than a few months tends to mean that sysadmin skills are seriously lacking.

Interesting. [netcraft.com]

Re:Time for (even) better security? (1)

pcmanjon (735165) | more than 9 years ago | (#11309000)

The biggest problem this poses is the PR to linux. If this news gets out big, corporate vendors will switch to some form of UNIX (sco, solaris, AIX) and Linux will be out of the business market.

That's really all that keeps Linux abuzz aside from hobbiests.

They really need to break out with these updates otherwise they'll get a worse rep on release times than Win too.

Re:Time for (even) better security? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11309086)

why run an http:// server on an OS like Linux (or Windows for that matter) at all? Seriously.

These are kitchen sink OSes. Linux is more so than anything else. They're able to do all sorts of bizzare things. Now certainly, Linux is the most suitable OS for things like Beowulf clustering, but for simple web servering, why not use DOS? A simple OS for a simple task - fewer things to go wrong, it makes sense. How often is DOS going to go down on you?

Re:Time for (even) better security? (1)

afd8856 (700296) | more than 9 years ago | (#11309206)

Nice idea! Cool! Now if you could only help me with some binaries for apache, php and mysql it would be perfect! Will they run in freedos?

FUD (0, Flamebait)

mirko (198274) | more than 9 years ago | (#11308974)

Please, Slashdot, do not feed such trolls : I have yet to hear abuot some decently setup Linux server that would be *that* insecure.

Re:FUD (2, Insightful)

millahtime (710421) | more than 9 years ago | (#11308996)

You are refering to 'decent' linux setups. How many people have what you would refer to as a 'decent' linux setup. Windows could have a 'decent' security setup but most people don't go there. Linux needs the security to rock out of the box if it is to continue it's mainstream grouth without running into the problems windows has.

Re:FUD (1)

fishbot (301821) | more than 9 years ago | (#11309012)

Linux needs the security to rock out of the box if it is to continue it's mainstream grouth without running into the problems windows has.

I wonder how many insecure installations had a box to come out of? Very few, I would think. Those with RHE susbscriptions and the like would be classed as 'out of the box', but admins installing because they prefer it are more likely to suffer these issues. No box required.

Re:FUD (0)

Anonymous Coward | more than 9 years ago | (#11309071)

You make a good argument. However, security and usability are almost always at odds with each other. To give an example:

My first installation of NetBSD was more secure than any base linux install I'd ever done. By default virtually every service was turned off. I had to manually go in and turn on sshd. I had to manually add myself to the wheel group to people to SU to root. It argued with me if I tried to set any password that did not include both numbers and letters.

These are all obviously good security practices...and all things Linux doesn't do. As a result, I was much more frustrated, and spent a lot more time figring out NetBSD, and getting it up and running and remotely admined.

Your average person has trouble jumping through the hoops of a SuSE or RH install. Dealing with the kinds of security practices that NetBSD uses would very possibly prevent them from installing the OS in the first place.

Windows has always put usability first, and this is the source of their security problems. It is very difficult for them to go back and half-assedly put security features into something that was never really meant to have them.

I guess theres always OSX. Easy enough for my grandma to use, yet fairly secure, and stable.

Re:FUD (1)

millahtime (710421) | more than 9 years ago | (#11309094)

You make a good argument about usability. The BSDs don't make it easy. They say, read the manual. I am a BSD guy more than a linux guy. Also, OS X has made it easy to turn on services rather than have them all on out of the box. In the settings with the check of a box you turn on or turn off services such as file sharing (samba), sshd, ftpd, etc.

Maybe linux needs to come up with an easy way to manage security. That is one of the apple things is that your system is a tool.... should be easy to use to do the things it needs to do and do it well. Linux has not adopted the easy to use part of that.

Re:FUD (1)

mirko (198274) | more than 9 years ago | (#11309106)

A decent Linux setup is, for instance, my Debian server which has been installed the following way :
  1. minimal install (command line)
  2. supplemental services paranoidly configured one after one.
  3. nightly apt-get update/upgrade from security.debian.org


Of course, if you just install a complete SuSe+X11.org on a server, you'd expose yourself to any of the flaws that each of its service might have.

Just be decent and do not install stuff :
  • you don't know
  • you don't need
  • that is not inspected by security experts

Linux is growing up! (-1, Redundant)

JamesBell (837714) | more than 9 years ago | (#11308975)

I for one welcome our new security hole overlords... does that work?

Interesting point of view (2, Interesting)

ChrisJones (23624) | more than 9 years ago | (#11308978)

but I don't really see much counterpoint. Anyone have URLs for where this has been discussed in some more depth?

Re:Interesting point of view (4, Informative)

IamTheRealMike (537420) | more than 9 years ago | (#11309009)

The bug mentioned in the LWN article was apparently not treated as serious by Andrew Morton and other developers on the grounds that there are far easier ways to DoS a system without using kernel exploits like that one. I don't know whether that's good or bad, but from debating things with various PaX guys myself I know they have a rather extreme approach to security (not something I'd ever give my grandma ...)

Re:Interesting point of view (0)

Anonymous Coward | more than 9 years ago | (#11309051)

Why the hell wouldn't you want your grandma to be secure you heartless bastard?

Re:Interesting point of view (1)

IamTheRealMike (537420) | more than 9 years ago | (#11309063)

Hah, if my grandmas actually used computers at all (they don't) I wouldn't want them to be running a system where apps might disappear at a moments notice because they contravened the PaX developers idea of what secure code is. PaX breaks/changes some pretty core APIs, and while you can disable it on a per-process basis how many people will be able to diagnose that? And if they can, what's the point of security system you usually switch off when it triggers - warning fatigue anybody?

Let's ignore the fact that the PaX developers idea of what is buggy/broken/insecure code is by no means widely accepted, and is quite a controversial debate all in itself.

Now don't get me wrong, PaX has its place, but that place isn't on my hypothetical relatives desktop at least not in its current form. I'll go with a weaker form of security that has fewer false positives and that doesn't require me to explain that they lost their work when they decided to use feature XYZ of their word processor for their own good ....

Re:Interesting point of view (1)

treerex (743007) | more than 9 years ago | (#11309107)

[...] on the grounds that there are far easier ways to DoS a system without using kernel exploits like that one.

That's a pretty specious argument --- even if there are easier ways, if people know how to do it then it will happen. This is little more than a corrolary to "security through obfuscation" and is quite surprising coming from the Linux Deities.

Re:Interesting point of view (1)

IamTheRealMike (537420) | more than 9 years ago | (#11309126)

The "easy way" in this case is just allocating lots of memory pushing the box into swap hell. Hardly a secret.

Re:Interesting point of view (-1, Offtopic)

IamTheRealMike (537420) | more than 9 years ago | (#11309036)

Oh by the way, this is going to sound stupid but are you Chris Jones originally from Macclesfield? I couldn't help but notice you had a friend called "Jonathon Perkins", seemed a bit of a co-incidence ...

Re:Interesting point of view (0, Offtopic)

ChrisJones (23624) | more than 9 years ago | (#11309104)

'fraid not, I'm from sunny Brighton :)

Re:Interesting point of view (5, Informative)

10Ghz (453478) | more than 9 years ago | (#11309055)

Andrew Morton said [theaimsgroup.com] :

An unprivileged local user can DoS a Linux box to death with malloc and
memset, so the RLIMIT_MEMLOCK bug isn't particularly exceptional. All the
others require root anyway.

I'll pass this on to appropriate people, see if we can get this all fixed
up, thanks.

go microsoft (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11308979)

w00t first go microsoft!

GRSecurity (0, Flamebait)

Arghdee (813921) | more than 9 years ago | (#11308980)

Is this mob anything like Gibson Research? [grcsucks.com]
For our sakes I hope not...

Kind of an interesting contrast (5, Insightful)

aendeuryu (844048) | more than 9 years ago | (#11308987)

It's interesting to note that this comes out so recently after Linus was named one of ITs best managers. Lord knows he'd have to be to keep so many disgruntled people quelled. In the followup, somebody was citing as an excuse that Linus is one person and that there's only 24 hours in the day, so maybe some patches get missed. I was wondering, with all of the people he delegates to, isn't there somebody who handles all the security issues? Scroll down the LWN article, and somebody mentions that he needs a Kernel Security Officer, with no follow-up. Does Linus not have one of these guys yet?

Re:Kind of an interesting contrast (1)

zerocool^ (112121) | more than 9 years ago | (#11309064)

It becomes a question of cost (in time) versus benefits.

The people that are clammoring for this kind of extreme security are fringe factions. They know that if they want a posix environment with 007 grade military security, fedora core isn't what they should run. They're just raising a stink.

Not to mention that, as mentioned elsewhere, I think one of the "holes" mentioned is something that is able to be attacked by DDoS. Newsflash: there are a lot of things that are attackable by DDoS, and it isn't as critical to fix as, oh, I dunno, root-level exploits, or instability.

FUD.

~Wx

OK, if not Fedora Core.. (1)

valdis (160799) | more than 9 years ago | (#11309208)

What would you recommend, given that Fedora Core is where all the SELinux development (you know, the stuff the NSA did?) is going on at the moment?

So it begins. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11308994)

The trade off between security versus usability/accessability begins?

Will Linux strike the perfect balance? Will Linux be taken over by a lunatic like Theo and go the OpenBSD route? Will Linux lose it's viginity to Windows and become a security nightmare? Stay tuned! All this and more on the next episode of OS wars!

Re:So it begins. (1)

Tangwei (704210) | more than 9 years ago | (#11309050)

Here's were Linux needs to pucker up. Linux has had the n00b (yes n00b with two zeros) treatment for awhile just because Joe 6P hasn't played with it. Now that Open SW is becoming popular with the general puplic, the rats follow. The open source community needs to get the act together and figure out a course.. other wise the drift wood that washes up on shore has more chance at becomming something then 20 differnt branches... Yes I'm drunk, but god damned I make more sense then some anti M$ buttbuddy.

Re:So it begins. (1)

Anonymous Brave Guy (457657) | more than 9 years ago | (#11309187)

The trade off between security versus usability/accessability begins?

Perhaps. If it does, I'm betting heavily on the latter. A useful product with poor security has much more value than a secure product with poor usability.

linux vs ??? (1)

zxflash (773348) | more than 9 years ago | (#11309001)

ok it has some problems that need to be worked out... but what are the alternatives... is this story meant to cause people to say "OMG M$ was right better contact my local sales rep" or is the community slacking???

How about those OSs linux has always tried to be? (0)

Anonymous Coward | more than 9 years ago | (#11309005)

There are other unix implimentations out there. Few of them suck as badly as linux does. Try one.

Re:How about those OSs linux has always tried to b (1)

zxflash (773348) | more than 9 years ago | (#11309020)

i wouldn't say linux sucks, quite the contrary unix may be a viable choice in some situations but the flexability of linux is probably its greatest asset... being able to use the same distribution for your server, laptop, and desktop with various different configs is something that is quite admirable

Its quite normal too. (0)

Anonymous Coward | more than 9 years ago | (#11309032)

I use the same OS for my laptop and my servers. I can't use anything but windows for my desktop since its for games. I would have the exact same situation if I used linux, only worse reliability and security, and constant upgrade hassles. KDE, or gnome, or xfce, or whatever you want works on unix in general, not just linux.

Re:How about those OSs linux has always tried to b (1)

thogard (43403) | more than 9 years ago | (#11309042)

Do you mean Solaris with still has rpc bugs even though they have been fixed several times.

Their new svc stuff is great too since if you can hack the one file you can keep running external services and the sysadmin will never know. Nothing like binary files that are always getting rewritten that can be hacked. Thanks to the sun guys for replacing init with something more stupid than the windows registry.

Re:How about those OSs linux has always tried to b (0)

Anonymous Coward | more than 9 years ago | (#11309058)

FreeBSD, OpenBSD, NetBSD, OSX, AIX, Solaris, Tru64 and Irix all suck less than linux. Unixware and HP-UX suck more than linux. I am sure there are others I have not used.

Re:linux vs ??? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11309019)

You don't have to compare Linux to X,Y and Z to draw a conclusion. You can just look at Linux on its own and see that there is problems, and these need to be worked out. It doesn't matter how good the competition is, it's a battle with Linux itself, things need to be improved, that's the moral of the story.

Re:linux vs ??? (5, Informative)

Homology (639438) | more than 9 years ago | (#11309039)

ok it has some problems that need to be worked out... but what are the alternatives... is this story meant to cause people to say "OMG M$ was right better contact my local sales rep" or is the community slacking???

OpenBSD [openbsd.org] has implemented security [openbsd.org] similar to grsecurity. Note that this is part of OpenBSD operating system, so the user does not need to do anything to use it. Contrast this to grsecurity that is a set of patches against Linux kernel.

As far as I know, only Gentoo and Mandrake supports grsecurity.

Brad just wants attention. (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11309011)

He is upset because he took a bunch of other people work, put it together into pax, and desperately tries to get any attention he can. He's a troll, he's spent plenty of time trolling about openbsd having similar features to the ones he took from other projects, and now he's trolling linux too.

Gee, maybe I should run Novell... (2, Funny)

filesiteguy (695431) | more than 9 years ago | (#11309015)

...oh, wait - I AM running Novell Linux. Oops. Um, I should tehn run and hide in a closet?
Maybe I should implement security measures and have a good backup system?
Nah!
This kind of reminds me about all the people telling me you could die while driving a car - no s---, Sherlock! Use common sense.

Re:Gee, maybe I should run Novell... (0)

Anonymous Coward | more than 9 years ago | (#11309026)

unfortunately, common sense isn't very common...

And that won't help you at all. (0)

Anonymous Coward | more than 9 years ago | (#11309038)

Backups and non-specific "security measures" won't stop you from getting 0wn3d because of kernel holes. And don't dismiss local root exploits because you don't give out accounts. Tons of linux software is full of holes, and people don't care about those because "it doesn't run as root". Its easy to put the 2 together.

Here it comes (2, Insightful)

Tangwei (704210) | more than 9 years ago | (#11309027)

For years now people have been carrying the Linux flag due to the fact that its "more secure then windows"... guess what people.. time for being an unknown, unpopular OS is at hand... welcome to being known.

Re:Here it comes (0)

Anonymous Coward | more than 9 years ago | (#11309068)

Oh, bullcrap!

Look, the overreaction is precisely why security will never be as big a problem on Linux. People in the Linux development community take this security shit seriously. Microsoft just never cared!

Re:Here it comes (1)

Tangwei (704210) | more than 9 years ago | (#11309076)

Thats why holes in the kernel have been allowed to go on as long as they have? The elitisme (yes I am drunk) of the OS have gone on long enough... time to play in the majors.

Re:Here it comes (4, Insightful)

I confirm I'm not a (720413) | more than 9 years ago | (#11309123)

holes in the kernel have been allowed to go on as long as they have?

Allowed to go as long as they have...by whom? By the volunteers devoting their time to kernel hacking? I'll give you the benefit of the doubt and assume you're an active kernel hacker...

You compared Linux to Windows in your original post: how many security holes in Windows still remain, years after they were first reported? (For that matter, how many holes are we still unaware of, because the source-code is closed?) Why have these security holes been allowed to go on as long as they have? (Answer: because resources are finite; and Microsoft has other things to focus on. Likewise for Linux. If you feel that too few resources are devoted to security in the kernel: volunteer. Or criticize and offer no helpful solutions. I choose option A).

Re:Here it comes (5, Interesting)

I confirm I'm not a (720413) | more than 9 years ago | (#11309095)

If I read you correctly you're saying that Linux's new-found popularity will cause lots of previously unknown security flaws to become evident. Do you believe either (a) Linux will ultimately have a similar number of security flaws as the Windows kernel, or (b) Linux will ultimately have a similar number of security flaws as Apache (an open-source, industry-leading application)?

What I'm getting at is: security through obscurity is largely regarded as flawed (outside military intelligence circles), and the open-source/free-software development model has - time and again - resulted in bugs being shallow (IIS is closed-source and buggy. Apache is open-source and - relatively - secure).

Everytime - everytime! - there's a security issue with Linux a troll pops up and says "ha! ha!" in their best Nelson Muntz voice: as if Linux was somehow perfect, but has now spectacularly fallen from grace. I don't know whether you're trolling as you don't really say much, and I found it difficult to understand much of what you did say, so my apologies if I'm way off base here, but...are you suggesting that Windows is "more secure than Linux", or what?

Re:Here it comes (0, Troll)

Tangwei (704210) | more than 9 years ago | (#11309165)

The problem with the current Linux community is that they want to be known. Troll am I not, but drunk ass mofo who loves open source and is a bit pissed off am I. The prolblem with secuity through obscuirty is that it's exaclty the course that people who code for Open Source are following. They think that because the free coding loving people are the only ones who inspect what they are doing, that little things like security trenches are ingsnfigant (fuck spelling, it just gets in the way) to the end result. Spin and really long words aside... all I am saying is that coders for open source need to realize that no only are thier peers looking at what they do, but also those asswhipes who want money too. Linux is getting to popular not to ignore the asswhipes of the world.

Re:Here it comes (1)

I confirm I'm not a (720413) | more than 9 years ago | (#11309191)

The problem with the current Linux community is that they want to be known.

Nowt wrong with that, surely?

Troll am I not, but drunk ass mofo who loves open source and is a bit pissed off am I.

I hear you, brother! Apologies for the troll-slur.

The prolblem with secuity through obscuirty is that it's exaclty the course that people who code for Open Source are following. They think that because the free coding loving people are the only ones who inspect what they are doing, that little things like security trenches are ingsnfigant (fuck spelling, it just gets in the way) to the end result.

Well, I'm not sure how true that is. The BSDs, which are arguably true open-source (as opposed to free-software, which I personally prefer) have an enviable reputation for security exploits: holes in single digits almost! Maybe you're right about the people reviewing code; but surely that's now their fault - it's the fault of the people not reviewing code.

I take your point about the asswipes, but the asswipes need to contribute too.

By the way, "Troll am I not..." is one of the best lines I've seen on Slashdot! Love it! Angry Yoda become you on beer!

About security through obscurity (1)

Anonymous Brave Guy (457657) | more than 9 years ago | (#11309218)

What I'm getting at is: security through obscurity is largely regarded as flawed (outside military intelligence circles)

And who are the best people in the world at keeping information secure?

Security through obscurity is the first layer, nothing more, but nothing less either. If you open everything up, you have removed a layer of security. You need to be getting more than compensating advantages in your remaining layers as a result, or it wasn't a smart move. Time will tell which of these is really true of the OSS community's approach.

Re:Here it comes (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11309222)

So what you're saying is that the Linux community can dish it out, but they can't take it?

New Windows security flaw -- "Sigh, another bug. Use Linux, Windows is insecure."

New Linux security flaw -- "Well, um, you ignorant troll, all software has bugs, and most have more than Linux."

Microsoft? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11309041)

Was microsoft right all along? Is the most secure operating system out there Windows XP running Service Pack 2? If this is so... I welcome our new operating system over... SCREW THAT, WHERE'S MY GUN!

Re:Microsoft? (5, Interesting)

TheRaven64 (641858) | more than 9 years ago | (#11309100)

I wouldn't be surprised if Linux is less secure than the NT kernel. NT has much finer grained access control than Linux (although not if you include SELinux), and I haven't heard anything about kernel exploits in Windows for a while (although this may be because I haven't been paying attention). The problem with Windows is all of the cruft on top of the kernel that doesn't need to be run with administrator privileges, but is, and is full of security holes.

Re:Microsoft? (1)

Spy Handler (822350) | more than 9 years ago | (#11309204)

I read somewhere that NT 4.0 was certified Dept of Defense Secure Platform.... but only if you didn't connect it to a network.

Re:Microsoft? (2, Interesting)

Anonymous Coward | more than 9 years ago | (#11309211)

Fine grain control != more secure.

Fine grain control doesn't realy have much to do with the kernel.

What SELinux is is Mandatory Access Controls. Or MAC

What the standard Unix (and Windows) model is discretionary access control.

What this means is that your access is based on your UID and GUID. If you have permission or not to access a file.

Mandatory Access control allows you to control access based on BEHAVIOR and other criteria.

So say your a idiot and run Apache webserver as root. If your Apache server gets attacked and successfully comprimised then if you only have DAC permissions then your system is laid wide open for attackers.

If you do the same thing with a MAC setup then even if they comprimise Apache and get root then they still can't do jack shit because you have the Apache proccess setup to only allow certain behaviors nessicary to operate itself all else access is denied and it doesn't matter if you have a UID of 0.

You can set it up so that if you log in as root thru SSH you have different access controls then when you log in thru a local virtual console or use SU to obtain it.

Windows doesn't have anything that comes close to this sort of thing.

As for the ACL's that Windows uses, Linux has those in the form of Posix-compatable ACLs.

Most distros support this, but it's disabled by default.

Why?

because it's not needed. Finer grain = more likely to fuck up.

90% of the time when a person thinks they need it, they simply aren't being creative enough to figure out a better solution.

If your smart enough to get to the point were you realy need it then you know out to turn it on, and it's very simple. Basicly it amounts to a -o remount and a couple other options.

Fedora Core3 uses SELinux by default. The Gsecurity complaints about the LSM is misguided and obsolete, it already has been used to allow things like low-latency sound server JACK setup for audio workstations and other purposes that wouldn't be possible.

This article is CRAP. It's a troll pure and simple and a way to stir up bullshit.

Linux actually has a pretty decent track record and the lack of a 2.7 development kernel wouldn't of stopped this latest flaw because it was something that existed since before 2.4 (were there always has been a development kernel).

Linux has it's security issues, always has. OpenBSD is what you use when you want something deadly secure, but it's 10x better then anything coming out of the windows world.

That's why people say that "Linux is more secure", not "Linux is the most secure OS ever made and will never have any security issues whatsoever"

This GSecurity has provided a usefull service in reporting bugs, but this isn't the first time that he has tried to drum up controversy. First time was threatening to take gsecurity down because lack of support, then the SELinux crap, and now that Linus doesn't respond to crappily labeled e-mails.

Linus gets LOTS of e-mail. It's just something that got lost in the shuffle. There are people that are incharge of this sort of thing and gsecurity should of contacted them in order to get the issue resolved quickly.

It would be like emailing billg@microsoft.com to report a bug in Windows.

Before this there was a spat over Linus disabling the ability for people to access the scsi stuff thru setuid.

This disabled the ability to burn cds as a user using certain programs.

This was done for security reasons and people Bitched and moaned how Linus +friends cared to much about security and didn't give a shit that linux would loose users because now they have to use sudo to burn cds.

Basicly.

It's blowing a problem out of porportions.

Bugtraq rulez. (0)

Anonymous Coward | more than 9 years ago | (#11309047)

3 weeks is a sufficient amount of time to be able to expect even a reply about a given vulnerability. A patch for the vulnerability was attached to the mails, and in the PaX team's mails, a working exploit as well. Private notification of vulnerabilities is a privilege, and when that privilege is abused by not responding promptly, it deserves to be revoked.

If that account is accurate this incident at best indicates bad process and ineptitude thought to be exclusive to large corporate vendors.

Maybe it's time... (5, Insightful)

Jace of Fuse! (72042) | more than 9 years ago | (#11309060)

Maybe it's time everybody get off of their OS Religious High Horse and finally admited that an OS is only as stable and secure as the user who is administering it.

My Windows XP machine is solid and secure. My FreeBSD machine is solid and secure. My Windows ME machine -- well -- it runs, and it's quarenteened so I suppose in some ways it's secure.

Right now I'm installing Gentoo on a box so I'm going to see where this goes, but I am going into it with full realization that no OS is perfect, nor is it perfectly secure. This means that I'm going to take security as seriously with this machine as I do the rest of them.

Having the source to an OS doesn't make it more secure if you don't read (or understand) every line of it.

Why people think OSS is automatically more secure is something I never have really understood. There is some added comfort in knowing that most holes will be discovered and fixed promptly, but even that is an assumption one shouldn't bank on.

Re:Maybe it's time... (0)

Anonymous Coward | more than 9 years ago | (#11309114)

Maybe it's time everybody get off of their OS Religious High Horse and finally admited that an OS is only as stable and secure as the user who is administering it.

You know is this is /.? Microsoft=evil; Linux=good.

If a fraction of the effort used here bashing Microsoft (hello! preaching to the converted!) was spent creating an alternative imagine what might happen.

If you don't believe this just wait for the next duplicate story post. How many posts of "This story is a dupe"; "Your dupe post is a dupe"; "I, for one, welcome our duplicate posting overlords", etc. do we actually need?

Re:Maybe it's time... (4, Insightful)

I confirm I'm not a (720413) | more than 9 years ago | (#11309152)

I pretty much agree with you, but... (!)

Having the source to an OS doesn't make it more secure if you don't read (or understand) every line of it. (my emphaisis)

Having the source available for anyone to read can lead to the OS (app, library, whatever) being more secure. Assuming that a wide-enough group of people do actually read the code. I'm confident that this happens with Linux, the *BSDs, etc.

Most people tend to equate OSS with secure, I'd guess, because security-through-obscurity is largely a false promise, and we recall that many-eyes-make-bugs-shallow. Both concepts that appeal to the type of geeks who are interested in security ;)

You are wrong (0)

Anonymous Coward | more than 9 years ago | (#11309238)

There are many sorts of security. The security you are talking is about
- Being secure from kiddies, non-professionals
- Being secure from known vulnerabilities

The point in Grsecurity is to get full or at least constraining fixes for
- The previously unknown userland problems
- What professionals could do to you

In such both Windows and upstream Linux are not REALLY secure. They are if administered properly secure against the lowest levels of threats. There is better...

Grsecurity is for real (4, Insightful)

Anonymous Coward | more than 9 years ago | (#11309065)

Grsecurity guys (Brad and the pax guy mostly) are dead serious. They have been researching their areas of memory management, protection and secure code for years. They really do know it pretty much all. For instance the "AMD NX protection!!!!" that the Redhat raved about was copied from Pax. (Without even crediting properly.)

They are just the sort of real gurus that can spot new vulnerabilities from code and exploit them in a matter of minutes. When Grsecurity was having serious funding problems last summer Brad was forced to sell new vulnerabilities from Linux kernel code to unmentioned blackhat companies. (Those do exist, believe me. They are doing commercial intelligence, stealing trade secrets with the knownledge..)

Those guys are technically brilliant, years ahead of what Linux stock kernel has in security features. They are just a bit arrogant and bad with people. Also at the same moment the upstream kernel developers don't like being told that their stuff is complete crap on some area. They downplay it, ignore and use the "whoareyou,Iamthekerneldeveloper,youknownothing" tactic.

Grsecurity guys could absolutely smash LSM by showing the vulnerabilities they are talking about as pocs. They are just a bit too disgusted and pissed off. There are several other areas like the exec_shield (that *is* atm getting to upstream kernel) that have big faults as well...

They could prove their other points as well.. But it would be moot since they ARE correct in any case.

Re:Grsecurity is for real (0)

Anonymous Coward | more than 9 years ago | (#11309098)

Grsecurity wins because it is clean and manageable. SELinux works too, but compared to Grsecurity, it is a complicated, hard to manage, fragile, bureaucratic nightmare. Grsecurity is easier to modify and administer. SELinux is so unwieldy that Fedora has to ship a bare bones SELinux policy called "targeted" which essentially does nothing to secure an ordinary workstation.

Grsecurity was designed for the real needs of users. SELinux was designed for the needs of theoretical white papers and government bureaucracies. It takes months of practice and tweaking to barely come up to speed on SELinux. On the other hand, a user can start to feel comfortable administering Grsecurity in only a few days.

Misunderstanding of words (1)

Assassin_for_Atari (691252) | more than 9 years ago | (#11309073)

So when does "better security" mean "100% unbreakable". Lets face the facts here, Linux is great but it does have leaks. Does that mean I'm worried about it...not really. Why?, cause there is community that works to help patch such things. Better to fix an issue than know about it and leave it be *cough*microsoft*cough*.

Re:Misunderstanding of words (1)

mccalli (323026) | more than 9 years ago | (#11309082)

Lets face the facts here, Linux is great but it does have leaks. Does that mean I'm worried about it...not really. Why?, cause there is community that works to help patch such things.

What is being argued is that the community is not working to patch such things. Whether that's true or not is the debate at hand.

Better to fix an issue than know about it and leave it be *cough*microsoft*cough*.

A hilarious dig at Microsoft. Reread the article - they are stating that the Linux kernel people know about the vulnerabilities and are leaving it be.

Cheers,
Ian

Re:Misunderstanding of words (0, Troll)

Tangwei (704210) | more than 9 years ago | (#11309101)

Where M$ disregards problems as "product enacments", Open Source people regard them as "Some Elses Problem". It's time for people to grow up, and realize that David and Golith are not just some Cnet article, but reale fu*cking life.

Re:Misunderstanding of words (1)

pavera (320634) | more than 9 years ago | (#11309113)

Furthermore...
in all of these exploits I don't see a single one that is remotely exploitable. If you give a user access to a system, presumably you have some hold over him (employee, service contract, etc). If someone breaks a username/password, good job... but hey, why not try to just break into root...

This isn't to say that local exploits aren't bad, or that they shouldn't be fixed, I've just always assumed that if someone has local access, they have root. There are entirely too many programs that can be exploited, too many avenues of attack... Give as few people as possible shell access, and make sure you trust the ones you give it to (or can sue them if you don't), and enforce hard passwords.

Re:Misunderstanding of words (1)

Lord Bitman (95493) | more than 9 years ago | (#11309150)

"local exploit" means "you need to take advantage of an exploit in some other program which will give you unprivleged remote access before you can take advantage of this bug"

I always wonder if the same people who say "it's not a remote exploit, who cares?" are the same people who say "it's not a root exploit, who cares?"

Re:Misunderstanding of words (1)

fostware (551290) | more than 9 years ago | (#11309213)

Combine this with one sendmail or apache remote exploit (to get to run as nobody / apache / www) and you have a remote exploit to root. All these little exploits become useful at some time

"The weakest link in the chain" quote is something to live by.

Get over it (1, Funny)

Anonymous Coward | more than 9 years ago | (#11309081)

Linux is the contender for replacing Windows on servers. Windows gives a notoriously low standard of security, which companies are still willing to pour $$$ into. Even Linux's bad security is good in comparison. Coupled with hardware firewalls, I feel completely confident leaving my Linux server accessible by a Wireless network.

Re:Get over it (1)

Zonnald (182951) | more than 9 years ago | (#11309142)

I get the same comfort level knowing that my Windows platform is behind hardware firewall.

distro with grsecurity (2, Interesting)

UnderAttack (311872) | more than 9 years ago | (#11309085)

Are there any distros out that include GRSecurity? I use it on all my 2.4 kernel boxes with great success and just started using it on production 2.6 systems. Overall, I find it to be very stable, and a very worth while extra layer of protection even without using the role based ACLs.

Re:distro with grsecurity (1)

Library Spoff (582122) | more than 9 years ago | (#11309103)

I think ubuntu does, but i could be wrong....

Gentoo (1)

brunes69 (86786) | more than 9 years ago | (#11309109)

emerge sys-kernel/grsec-sources

Ok, so where are the patches? (2, Interesting)

menscher (597856) | more than 9 years ago | (#11309120)

It's now been several days since the uselib() kernel exploit was posted and reports started to trickle in that it works. But there is no patch from the RedHat (or any other vendor, from what I've seen). What gives? Anyone got the inside scoop on what these vendors are saying on vendor-sec?

The fact that it doesn't even show up in bugzilla makes me think it's still under embargo for some reason. Shouldn't the leak be sufficient reason to change their timeline? For those of us running production servers, this waiting game is more than a little inconvenient.

On a side note, from what I've seen, the exploit has only been demonstrated on uniprocessor 2.4 kernels. Anyone get it to work on an SMP kernel, or a 2.6 kernel?

Re:Ok, so where are the patches? (2, Informative)

inode_buddha (576844) | more than 9 years ago | (#11309133)

Yes, there are patches for it. Check out the -ac branch, or read up on it at kerneltrap.org and follow the links.

Re:Ok, so where are the patches? (3, Informative)

IamTheRealMike (537420) | more than 9 years ago | (#11309141)

It was fixed in Linus' upstream kernel either yesterday or the day before, I forget which.

Re:Ok, so where are the patches? (0)

Anonymous Coward | more than 9 years ago | (#11309240)

It's Open Source!! You get to write the patch yourself!!

It's all too political (4, Insightful)

m50d (797211) | more than 9 years ago | (#11309127)

With 2.6 there seems to be a bad trend towards far too much politics in the kernel. The cdrecord problems and reiser4 business (did that ever get sorted out?) together with the IMO stupid policy of putting new features in the stable branch (making deciding whether a feature can be added much harder, since it needs to be that much more stable and necessary before it can be added, but often you can't prove it's necessary without having some kernel branch running with it in) all smack of too much politics. Why can't people just concentrate on making the best kernel possible?

CHARLIE BROWN SAYS... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11309131)

.-'& '-.
/ \ ...LINUX FUCKING SUX!!
: o o ;
( (_ ) WHEN WILL YOU LOSERS
: ; UNDERSTAND!!!
\ __ /
`-._____.-'
/`"""`\
/ , \
/|/\/\/\ _\
(_|/\/\/\\__)
|_______|
__)_ |_ (__
(_____|_____)

Start over, basing on OpenBSD for a change... (5, Insightful)

ivi (126837) | more than 9 years ago | (#11309137)


Long-time shell-provider SDF used Linux ...until they got hacked into.

Now, it's a 64-bit version of NetBSD.

OpenBSD claims:

"Only one remote hole in the default install,
in more than 8 years!"

Why not start with a core built for security,
- ie, rather than one built for popularity?

My two cents...

Re:Start over, basing on OpenBSD for a change... (0)

Anonymous Coward | more than 9 years ago | (#11309159)

How long ago was that ? SDF have been running netbsd for a long time.

Wrong Recipient? (3, Interesting)

z0ink (572154) | more than 9 years ago | (#11309139)

According to LWN the advisories were sent to Linus Torvalds and Andrew Morton themselves. I'll admit that I don't know jack about the inner-workings of Linux Kernel development, but one would think that something of that nature would go out to the person in charge of security related issues or even out to the distributions to get a fix circulating. I could be dead wrong and maybe Linus is just the only guy running the show and decides when he'll spend some of his time patching the kernel. This also seems as a sort of public way of the author expressing his disdain towards Linux security and as a sort of publicity for his own system. Maybe I'm just too much of a cynic, but things aren't all they are cracked up to be. Please note that I am not saying that there isn't some sort of responsibility there, but that this seems overly hostile.

Wait a minute. What? (1)

Corellon Larethian (833606) | more than 9 years ago | (#11309155)

Though LSM can be disabled in the vanilla kernel to allow the system to work functionally as it did in 2.4, all linux distributions will most likely be enabling it in their kernels. The mere existence of a security framework is not going to urge more users to use Trusted OS components in their kernels.

I was just cruising down through the article, until I came across this one.

Patches are in -ac7 (1)

PeterBrett (780946) | more than 9 years ago | (#11309179)

Alan Cox has applied the patches to his tree: Google linux.kernel archive [google.com] .

So maybe being obnoxious has got GRSecurity some attention.

Waaah! 3 weeks without an answer! (4, Insightful)

Tsu Dho Nimh (663417) | more than 9 years ago | (#11309182)

From the grsecurity page: "my personal gripe is that for 3 weeks not a single acknowledgement arrived in my mailbox, i don't think that's the way the chief developers are supposed to handle security issues (however small or irrelevant they may have been in this case - it takes a one liner to tell us so)."

So ... rather than ask on the mailing list who is the best person for security submissions relating to whatever bug he found, he emails the top dude (during Christmas holidays no less) and then whines when no answer is forthcoming within his preferred timeline. Gimme a break!

As a total noob, I went to kernel,org and found this on the first page:
Please see http://www.kernel.org/pub/linux/docs/lkml/reportin g-bugs.html if you want to report a Linux kernel bug.

http://www.tux.org/lkml/#ss5 explains why XX doesn't answer emails - too fricking busy is the usual reason.

If I were concerned about publishing the bug, I would have asked ON THE LKML LIST for who would be the best person to submit security-related bug and patch to for the XX module.

Whoever doesn't want to read all... (1)

Vo0k (760020) | more than 9 years ago | (#11309203)

here's the essence of the gripe:
(Posted Jan 10, 2005 11:26 UTC (Mon) by guest PaXTeam) (Post reply)

lots of speculation so let's see the actual timeline a bit. spender emailed Linus sometime early december about the few issues he had found. he also mentioned some of the fixes that were in PaX, the result of one of them was this commit: http://linux.bkbits.net:8080/linux-2.6/cset@41bc90 0azV2y9... . understand please that we (well, spender at least) already had had a working two-way email connection with Linus. during the holidays i had finally time to work on the forward port of PaX (last supported version was 2.6.7) and that's when i realized the change in status of the expand_down() bug as since 2.6.9 it became exploitable by unprivileged users as well. so i emailed Linus about it (of the importance, not the bug itself, he had already known about it from spender, although he had never replied back on that one). one week later, which is early this year i resent the mail to Linus and Andrew as well, and the next day spender forwarded the mail himself to them (as i said, he had a known working email route to Linus at least). nothing happened except spender was preparing the next grsecurity release and it became more and more urgent to get some feedback on these issues. we were considering emailing Alan Cox (the week of waiting allotted to Andrew as well wasn't over yet) when the uselib() exploit suddenly hit the net and everyone entered forced release mode, we couldn't delay it either.

now that you know some background, tell me again, 1. how much more we should have waited, 2. why we shouldn't have contacted Linus/Andrew in the first place, 3. why we should have contacted Alan first (who is explicitly not the security contact anymore), 4. why we should have contacted a VM hacker first (none of whom is a security contact either, not even for their respective employer, let alone linux/VM in general).

see, i've been in the security industry for some number of years now, and i know quite well what best practices are (everyone's got his own, but there're some common elements):

rule 1: you contact the explicit security contact first. for linux this used to be Alan himself, nowadays it's vendor-sec (yes, that means you're not supposed to deal with individual distros, that's why vendor-sec was established in the first place). except they proved to unreliable, not to mention that it's *impossible* to contact them in a secure way (they don't have a PGP key).

rule 2: short of such a security contact, you begin contacting the 'people in control', from top to down, not the other way around. for companies that's relevant because the chain of control also represents the chain of responsibility. you can argue that open source/free software projects are free of chain of control, but they're not free of responsibility. i believed and still believe that we did the right thing when we began contacting Linus, then Andrew and were about to contact Alan when external events intervened.

> THAT is why there is all this maintainers/lieutenants business.

except the VM has no explicitly listed maintainer. but yes, i can guess who the main contributors are, but that doesn't make them a security contact (remember, we only wanted to get feedback, be told what to do next, and *not* to force Linus or anyone to actually manage the issue). it makes them the right person to actually fix the bug, but that's only the second step after the initial contact.

> PaxTeam isn't subscribed to LKML. Why? Because "there's too much"?

correct, i have a day job (unrelated to linux), family and friends, i can't handle that email load (and there's more in my world than lkml). i don't know where you got that i didn't like lkml, if i wasn't sympathetic to linux, i would have posted everything to bugtraq a month ago (contrast that to the recent DJB case).

> And that fact that it claims to report a security vulnerability is quite
> likely to get it classified as "crying wolf"

i provided a proof of concept exploit (which you would know if you had actually read the announcement and posts here).

Patches are here (3, Informative)

inode_buddha (576844) | more than 9 years ago | (#11309225)

>Hi all,
>Is there a patch to uselib() bug ->
>> http://www.isec.pl/vulnerabilities/isec-0021-useli b.txt ?

Date: Sun, 09 Jan 2005 17:28:35 +0100
From: Henrik Persson
To: Breno Silva Pinto
Cc: linux-kernel@vger.kernel.org
Subject: Re: patch to uselib()

It's patched in 2.4.29-rc1 and 2.6.10-ac6. A patch for 2.4 can also be found here:
http://marc.theaimsgroup.com/?l=linux-kerne l&m=110 514006004261&w=2

and for 2.6:
http://marc.theaimsgroup.com/?l=linux-kernel &m=110 512844202355&w=2

Browsing the archives usually gives you alot of answers, you know. ;)

----------------
Cut-n-pasted from the LKML
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>