Forgot your password?
typodupeerror

Solar Designer on Openwall 25

Posted by ScuttleMonkey
from the getting-easier-to-hack-together-great-things-all-the-time dept.
Demonfly writes to tell us that Solar Designer, who some would argue is one of the more respected security experts on the net, took the time to answer a few questions about the future of Openwall, the security enhanced GNU/Linux distro. From the interview: "There's real demand specifically for security-enhanced Linux systems. Linux is widespread, it has good hardware support, there's a lot of software available for it (including some commercial packages), and there are system administrators with specific Linux skills. Of course, OpenBSD and other *BSDs have their user bases, too - and people are working on the security of those systems. No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either."
This discussion has been archived. No new comments can be posted.

Solar Designer on Openwall

Comments Filter:
  • Disagree (Score:1, Flamebait)

    by maelstrom (638)
    I think that SELinux has the potential to be a more secure kernel than many of the *BSDs.
    • kernel security this and kernel security that. sure it gives you something, but it doesn't really protect you from the dumb administrators and even more dummy users.

      what i'd gladly see in the linux world, userspace transparent jailing (meaning i could run my applications without endangering the rest of the system). i could give the application read access where it needs to read, hide files that it doesn't need to know about, and not let it write a thing except the directory that it runs in. sure ru
      • You should look into FreeBSD's systrace [onlamp.com] functionality. It looks a little easier to set up than a chroot jail, but is more fine-grained, and concerns more than just file access. As far as I know, Linux doesn't have anything like it though. (I wish it did!)
  • The title of this news item had me thinking it was some kind of cool new transparent solar cell for houses or something. That'd be pretty cool. Too bad it's just about Linux...
  • Real question (Score:5, Informative)

    by Spazmania (174582) on Wednesday March 22, 2006 @07:49PM (#14976872) Homepage
    The real question is: When are you going to release a set of patches for Linux 2.6?

    The openwall patches for 2.4 do the following three really useful things. Hardware compatibility is pushing me to 2.6 but I'd sure like to have the patches:

    Non-executable stack (defeats most buffer-overflow attacks)
    Restricted links and fifos in /tmp
    Restricted /proc

    • got it already (Score:3, Informative)

      by r00t (33219)
      The non-executable stack is in 2.6.xx already. It's activated for normal executables that have been compiled with a recent compiler.

      Rather than restricting /tmp, you can now use the unshare() system call with CLONE_NEWNS to give every user their own private /tmp. You can also just restrict /tmp via an LSM (Linux Security Module, like SE Linux or RSBAC)

      You can restrict /proc with an LSM too.
      • Re:got it already (Score:3, Interesting)

        by Spazmania (174582)
        The non-executable stack is in 2.6.xx already.

        Then why does the stacktest.c program from openwall succeed in simulating a buffer overflow in SuSE Enterprise 9 with kernel 2.6.15.6?

        You can restrict /proc with an LSM too.

        Yeah? Which?

        • You probably compiled stacktest.c with an old toolchain. Perhaps SuSE didn't enable the non-executable stack. Maybe your hardware doesn't support the NX bit.

          SE Linux should do fine for restricting /proc.

  •   I seem to recall reading that SDF -had- Linux, in a past life,
      but - after an intrusion - -now- use NetBSD or the like.

      They'd surely have something useful to say about Linux v BSD
      security.

      Does anybody know any of their admin's of the times to ask?

      FYI: sdf.lonestar.org is a long-time "free" Shell provider
                (I have NO pecuniary interest in their organisation)
  • openwall (Score:2, Interesting)

    by NynexNinja (379583)
    I respect Solar Designer, even though at the time of the initial development of these patches, most of these features were available as seperate patches from various groups of hackers -- Solar Designer is credited for integrating them into one jumbo patch.. That being said, he never put out patches for Linux 2.6, maybe due to his own stubborness towards the difference between a "production" and "beta" kernel release -- who knows.

    It is because of this that other projects were allowed to flourish, namely

    • > more feature-rich, updated patches exist
      Yes.
      That's why many (me included) use openwall patches when rolling 2.4 kernels.
      Feature-rich means "may-be-buggy" (or at least harder to review and apply).

      I think trust is the keyword for this situation.
      I trust openwall.
      Their patches work and do only a few simple but important things.
      This is the Right Way in unix world.

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...