Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:slashdot sucks (122 comments)

Yep, tracking new messages here is a torture... I wish there was a mode to see just new messages since the last visit.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:Openwall site (122 comments)

Wanna volunteer? :) Seriously, we wanted to update the site long time ago, but we are not good at web design and our team is too small and quite busy to spend time on something we aren't good at. From the pure technical point of view, the site provides all the necessary information we wanted it to provide. True, there are no whistles and bells, but every bit of info is there. We would appreciate any help with making our site better!

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:Dropping SUID doesn't improve security (122 comments)

Well, why do you want to expose a system to a risk in the first place if you can simply avoid it? There are too many vectors of attack on a transition from a non-privileged account to a more privileged one. BTW, the non-privileged account there for a reason - to do regular stuff on day-to-day basis, this also means that they are likely to be accessed from untrusted places (e.g. internet cafes, other people's computers, etc.). The risk of leaking credentials for such an unprivileged account is quite high. Re: immutable/append-only flags -- you are obviously wrong, chattr -i and chattr -a are your friends to remove these flags in a normal multi-user runlevel, indeed, you need to be root to do it, though.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:/bin/su isn't SUID?! (122 comments)

If you can't su or sudo, how you get anything done?

This depends on the task. If you are a local user and need root powers - switch your console to a fresh one and login as root. If you were talking about getting root powers on a remote host, the best practice is to ssh as root directly (given that you are behind a trusted terminal).

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:/bin/su isn't SUID?! (122 comments)

Basically if you exploit something with 'shadow' (i.e. passwd) you add a root user account to /etc/passwd and su to it.

This is not true. You can't do anything like this even if you acquire the shadow membership:

server!galaxy:~$ ls -ld /etc/passwd /etc/tcb
-rw-r--r-- 1 root root 3956 2010-06-03 21:08 /etc/passwd
drwx--x--- 99 root shadow 4096 2010-06-03 21:08 /etc/tcb
server!galaxy:~$

and the structure under /etc/tcb/ is also not writable to shadow:

server!root:~# ls -ld /etc/tcb /etc/tcb/galaxy
drwx--x--- 99 root shadow 4096 2010-06-03 21:08 /etc/tcb
drwx--s--- 2 galaxy auth 4096 2009-10-24 04:44 /etc/tcb/galaxy
server!root:~#

Re: crontab -- good luck with hijacking crontab on Owl :). The code was carefully audited for security issues and was hardened against possible abuses.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:/bin/su isn't SUID?! (122 comments)

Oh, fandingo has already quoted the entire message I provided link for in his/her comment "Dropping SUID doesn't improve security", however I don't agree with the comment title since proper dropping of SUID _DOES_ improve security, and Owl is one of such examples.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:/bin/su isn't SUID?! (122 comments)

No, Fedora are using a different approach. We do not replace SUID/SGID with capabilities, instead we carefully design the system to take advantage of the standard Un*x OS level permissions. JFYI, all this buzz with replacing SUID/SGID binaries emerged from the recently discovered vulnerability (BTW, Owl was among few distributions which wasn't affected by that vulnerability at all), but unfortunately people are often getting things wrong, when it comes to security. Please review the following message that describes some pitfalls along Fedora or Ubuntu's ways: http://www.openwall.com/lists/oss-security/2010/11/08/3 .

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:/bin/su isn't SUID?! (122 comments)

Yes, our distro doesn't encourage users to use su or sudo. The reason is that escalating privileges from a less privileged account to a more privileged account is bad from security standpoint. I found the following message in our mailing list. In this message Solar Designer explains the issue with su/sudo: http://www.openwall.com/lists/owl-users/2004/10/20/6 An excerpt from the above message: "Presently, the only safe use for su is to switch from a more privileged account to a less privileged one (whenever this distinction can be made) in a non-interactive script (without a tty). As soon as a tty is used, there is a security problem. As soon as you su to a more privileged account, there is another security problem." I hope you'd find this useful.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:What is it good for? (122 comments)

Well, a poorly written script (and there are many of these nowadays) on a web server may allow an execution of an arbitrary process on the server -- so our hardening measures will try protect the system from the inside. Indeed, this is a quick response on your question, feel free to ask if you want me to elaborate further on this topic.

more than 3 years ago
top

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

gm.outside Re:Rebuild itself? (122 comments)

No, officially we don't support ARM, but I have plans to make an ARM build of a stripped down Owl since the number of ARM-based devices is rapidly growing at my home. :) A DSL modem, a NAS box, and a couple of netbooks - all are ARM based. This gives me a lot of temptation to build Owl for ARM. :)

more than 3 years ago

Submissions

gm.outside hasn't submitted any stories.

Journals

gm.outside has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?