Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Solar Designer on Openwall 25

Posted by ScuttleMonkey
from the getting-easier-to-hack-together-great-things-all-the-time dept.
Demonfly writes to tell us that Solar Designer, who some would argue is one of the more respected security experts on the net, took the time to answer a few questions about the future of Openwall, the security enhanced GNU/Linux distro. From the interview: "There's real demand specifically for security-enhanced Linux systems. Linux is widespread, it has good hardware support, there's a lot of software available for it (including some commercial packages), and there are system administrators with specific Linux skills. Of course, OpenBSD and other *BSDs have their user bases, too - and people are working on the security of those systems. No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either."
This discussion has been archived. No new comments can be posted.

Solar Designer on Openwall

Comments Filter:
  • Real question (Score:5, Informative)

    by Spazmania (174582) on Wednesday March 22, 2006 @07:49PM (#14976872) Homepage
    The real question is: When are you going to release a set of patches for Linux 2.6?

    The openwall patches for 2.4 do the following three really useful things. Hardware compatibility is pushing me to 2.6 but I'd sure like to have the patches:

    Non-executable stack (defeats most buffer-overflow attacks)
    Restricted links and fifos in /tmp
    Restricted /proc

  • got it already (Score:3, Informative)

    by r00t (33219) on Wednesday March 22, 2006 @11:47PM (#14978196) Journal
    The non-executable stack is in 2.6.xx already. It's activated for normal executables that have been compiled with a recent compiler.

    Rather than restricting /tmp, you can now use the unshare() system call with CLONE_NEWNS to give every user their own private /tmp. You can also just restrict /tmp via an LSM (Linux Security Module, like SE Linux or RSBAC)

    You can restrict /proc with an LSM too.

Nobody's gonna believe that computers are intelligent until they start coming in late and lying about it.