Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security-enhanced Linux distro can rebuild itself

iago-vL (760581) writes | more than 4 years ago

Security 3

iago-vL (760581) writes "Last week, the Openwall Project released the latest build of Openwall GNU/*/Linux (Owl for short) (announcement). This distribution, which has the ability to completely rebuild itself from source, is designed from the ground up to be secure. From source code audits of critical components to advanced privilege separation, secure defaults, and integration of OpenVZ container-based virtualization, Owl makes a great server platform!"
Link to Original Source

cancel ×

3 comments

Can it also fix bugs? (1)

newsblaze (894675) | more than 4 years ago | (#30286116)

Can it also fix bugs and patch itself? something just feels wrong about that!

We fix bugs. Owl mitigates many of the rest. (1)

solardiz (817136) | more than 4 years ago | (#30289104)

You must be alluding to this story's title. It actually mentions two distinct properties of Owl, our focus on security (more on it below) and our inclusion of a complete build environment and full source code (even on our live+installable CDs, which also include all of the binary packages - yes, it is possible to rebuild from source even while CD-booted should you want to for some weird reason - we sometimes use this as a stress test).

We have a policy to audit certain security-critical portions of code in software that we're about to include into Owl, and we fix whatever issues we find. (We also submit our patches upstream and share them with other distros. You're likely currently running software with our fixes even if you have never heard of our project - e.g., do you use xinetd or OpenSSH?) And we make sure the programs will normally not be run with excessive privileges; quite often, this involves minor re-design of the program to introduce privilege reduction (e.g., syslogd, klogd, crontab/crond, Nmap) or privilege separation (e.g., telnetd).

As to third-party software that one might install on top of Owl, we include some security hardening measures that will mitigate the impact of many security bugs. This includes pam_mktemp, which will create per-user $TMPDIR on login (or on cron job startup, for that matter), and "transparent" modifications to many system libraries (starting with glibc). More importantly, the Owl userland separates Unix (pseudo-)users to a greater extent than many other Linux distros do. We got rid of almost all SUID programs, which would pose a risk of "local" attacks (only "ping" remains for now, and you can "control ping restricted" to limit its use to root). If you run the additional programs under separate accounts (e.g., a user runs an IRC client, or you run an IRC server under a dedicated pseudo-user account), then your risk of having a possible compromise propagate to other accounts is lower than it would be with typical Linux distros.

Finally, there are OpenVZ containers for even greater separation. A real-world example: several instances of DokuWiki "live" in the same container (separate Apache virtual hosts and Unix accounts). This container has Apache, PHP, DokuWiki on top of the Owl userland. Another website, not requiring PHP, is placed into another container on the same server. No PHP, no DokuWiki in that container, thus lower risk from those. For a "mail server", a third container may be created, maybe with no added programs (Postfix, popa3d, procmail, Mutt, mailx are a part of Owl) or maybe with some mail-specific ones.

Now what's that, a serious write-up in response to a sarcastic comment? Whatever.

Re:We fix bugs. Owl mitigates many of the rest. (1)

newsblaze (894675) | more than 4 years ago | (#30291558)

serious stuff, thanks. Good thing about the suids
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...