Solar Designer on Openwall

Demonfly writes to tell us that Solar Designer, who some would argue is one of the more respected security experts on the net, took the time to answer a few questions about the future of Openwall, the security enhanced GNU/Linux distro. From the interview: "There's real demand specifically for security-enhanced Linux systems. Linux is widespread, it has good hardware support, there's a lot of software available for it (including some commercial packages), and there are system administrators with specific Linux skills. Of course, OpenBSD and other *BSDs have their user bases, too - and people are working on the security of those systems. No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either."

Real question

[Spazmania]

The real question is: When are you going to release a set of patches for Linux 2.6?

The openwall patches for 2.4 do the following three really useful things. Hardware compatibility is pushing me to 2.6 but I'd sure like to have the patches:

Non-executable stack (defeats most buffer-overflow attacks)
Restricted links and fifos in /tmp
Restricted /proc

got it already

[r00t]

The non-executable stack is in 2.6.xx already. It's activated for normal executables that have been compiled with a recent compiler.

Rather than restricting /tmp, you can now use the unshare() system call with CLONE_NEWNS to give every user their own private /tmp. You can also just restrict /tmp via an LSM (Linux Security Module, like SE Linux or RSBAC)

You can restrict /proc with an LSM too.