We're getting close to an official fix, which includes a quick self-test on every use (not just by "make check"), with both 7- and 8-bit chars: http://www.openwall.com/lists/oss-security/2011/06/21/2

Olaf Kirch's implementation of traceroute, which we use in Owl, does not need a raw socket. It uses Linux 2.4+ features (that is, they've been available in mainstream kernels for a decade) to do exactly what the usual LBNL traceroute did (send UDP packets, detect ICMP errors), only without requiring special privileges. We install it mode 755 and it just works for all users.

I fully agree with you that "anyone can be wrong".

I also agree with your comments on a large percentage of CPU time typically being spent in shared libraries, and I agree that they're normally PIC anyway. So, yes, 6% slowdown on main program code when going PIE does not translate to a 6% slowdown of the entire system. We typically use Owl rebuilds from source as our benchmark, so this is likely what we will use to see the overall effect of going PIE as well (that is, run a second rebuild on a system already rebuilt to use PIE, including gcc, etc.)

Our bzip2 does not use shared libbz2, specifically for the reason you mention. Here's the exact text of the Owl bzip2.spec changelog entry dated Feb 1, 2002: "Package the bzip2 binary that is statically-linked against libbz2 for better performance on register-starved architectures such as the x86." IIRC, we actually ran benchmarks of both kinds of builds of bzip2 at the time. I've just double-checked - the bzip2 binary in Owl 3.0 still uses shared libc only, whereas libbz2 is linked in statically (the version of bzip2 has been updated several times since 2002, of course). :-)

It was nice talking to you. I think you could actually contribute to post-3.0 Owl development if you wanted to (hint). ;-)

Please take a look at our presentation slides, it only takes a few minutes. Then you might have more specific questions on the implementation, which I'd be happy to answer.

http://www.openwall.com/tcb/
http://www.openwall.com/presentations/Owl/mgp00020.html
http://www.openwall.com/presentations/Owl/mgp00021.html
http://www.openwall.com/presentations/Owl/mgp00022.html
http://www.openwall.com/presentations/Owl/mgp00023.html

Please note that what I wrote in my reply to your comment was quite different. I never said anything about your experience. Now that you raised this topic, I can say that you appear to be familiar with Unix security. You simply had not looked at our stuff before you wrote your comment, that's all.

I find your comment re: the cost of PIE interesting, thanks! It leaves many questions, though. 6% on 32-bit x86 is the number I had been aware of before. Your statement that "the affected code was actually running less than 2% of the time" is curious and potentially very useful. However, this, assuming that it's true, does not yield your claimed 0.0012%; it yields 0.12%. Of course, 0.12% may be considered acceptable (far more likely than 6% at least). I am curious about the details of your test; I guess, some systems will actually run "the affected code" 100% of the time - e.g., this happens if I build John the Ripper as PIE and run it for days (which is why I dislike Gentoo building JtR like that, and have to recommend JtR users to make their own builds). ;-) I'd appreciate it if you e-mail me (solar at openwall.com) more details on your test, and we'll discuss from there. We're considering PIE by default for post-3.0 Owl-current (and next release).

Your comments about cron/at are similar to what we thought of when we designed the system. Just like our per-user shadow files, the crontab files are per-user (and they were prior to our changes as well). Our crond does check crontab file ownership, and then it will only run the cron jobs found in the file as the file's owner. Cron and at jobs running as root are supported - of course, as long as the corresponding files are root-owned.

Actually, there are at least two things I've been planning to add to the website (but we never got around to doing that): an interface to browse our man pages and another one to browse our packages (list and contents - at least the metadata). I don't know whether this is a higher priority than a mere facelift or not.

Actually, it is possible to configure a Linux system such that "chattr -a" won't work without having to reboot first. With ancient kernels, we had BSD-style securelevel for this. With recent ones, we have the capability bounding set instead (/proc/sys/kernel/cap-bound). But very few sysadmins make use of this functionality, and it is tricky and painful to use it in a way that would achieve much (need to make almost the entire "base system" immutable - the individual files - or watch for any unexpected reboots and consider those signs of a potential intrusion, but that just wastes time). I tried this with securelevel on Linux 2.0 kernels in late 1990s, but I am not doing this anymore.

Khopesh - you're welcome, and thank you for your constructive comments. We might create a FAQ for Owl based on the questions/comments we've received.

Agreed re: insufficient documentation on owl-control. This is something for us to improve. Also add our own web interface to our man pages, like *BSD's have - frankly, this has been on my to-do list for years... but there was always something more important or/and more urgent.

I have replied to your comment's GGP with the info you have requested.

You can view the formatted control(8) man page here:

http://docs.altlinux.org/manpages/control.8.html

(ALT Linux have imported owl-control for their distributions, and they have contributed some changes back to us. They also happen to have placed this man page on the web.)

I'm afraid that this is not going to help you very much, though, because owl-control is very generic and abstract, and so is its man page. Perhaps we should add a few usage examples to illustrate owl-control's purpose.

I'll try to explain what it's for. Some packages on Owl provide what we call, in owl-control terms, "facilities". An example of such facility is su, provided by the SimplePAMApps package. The package also provides the file /etc/control.d/facilities/su, which defines several possible settings for su. In this case, the settings are: public, wheel, wheelonly, restricted - as shown by "control su list". The default for su on Owl 3.0 is restricted, which corresponds to /bin/su being mode 700 (usable by root only). If you issue "control su wheelonly", /bin/su changes to mode 4710, with group wheel. Issuing "control su" then confirms that the current setting is indeed wheelonly. Other related programs are control-dump and control-restore: these are used by scriptlets of our RPM packages. For example, our SimplePAMApps.spec invokes "control-dump su" in %pre and "control-restore su" in %post. This lets a possibly customized control setting for su persist over upgrades of the SimplePAMApps package.

Some other facilities are: bind-debug (controls whether it's possible to have BIND produce debugging logs or not), ntpd (can be set to "server" or "client"), postfix (can be set to "server" or "local"), and many others. So this is not limited to changing permissions on files - it also works for configuration file contents - but we only use it for trivial changes (a line commented-out or not) that need to persist over system upgrades. Also, such control'able changes are perfectly compatible with manual edits to the corresponding config files. If a sysadmin ends up editing a file such that control's facility script does not recognize one of the supported settings, control will start reporting "unknown" for that facility's state - but that is not any worse than not having control would have been.

As you can see, this is a very nice security-relevant feature for sysadmins, but it is not central to the Owl security model. Things such as our tcb suite (making the passwd command run without requiring root privs) are more essential to our security model.

We normally login directly as a root user for sysadmin tasks (e.g., r_john for a sysadmin named John) and also directly as a non-root user (e.g., john) for other tasks. This applies to both console and remote logins (ssh). This is the approach we've been using for years, and it works well for us.

As I have mentioned, those who prefer the traditional su approach, despite of its added risks (including compromise propagation from a sysadmin's non-root account to root), may "control su wheelonly".

Yes, Owl 3.0 works in VMware out of the box. We mostly run it in QEMU and VirtualBox for our VM-based testing, though.

BTW, you might find it curious that when you run Owl in a VM like this, you can further create OpenVZ containers with multiple instances of Owl and with other Linux distros inside that single running copy of Owl. Such container-based virtualization has no further performance overhead. :-)

128 MB is plenty, probably a lot less will do. I have my QEMU set to its default of 128 MB when I do install-tests with new Owl ISOs. Also, my Owl-based router and small fileserver at home has 128 MB RAM (runs the default-enabled set of Owl services plus ntpd, named, pppd/pppoe, openvpn, squid, NFS, and a sometimes a few lftp's and ctorrent's under screen).

On the other hand, of course you may need a lot more RAM for your specific uses of Owl - e.g., to run many OpenVZ containers, to do web hosting, etc. We currently administer several 32 GB RAM machines running Owl and one 64 GB RAM machine, as well as a countless number of 4-16 GB machines - so we know Owl has no problem with these larger RAM sizes as well (and with the many OpenVZ containers running various Linux distros actually making use of this RAM).

There's no web-based interface in Owl.

Are you just trolling? I'll provide a serious response nevertheless: we don't include the grsecurity patch, but our userland will run just fine with a grsecurity-patched kernel - this is up to our users to choose if they like. We do support containers out of the box, with OpenVZ. Owl can act both as an OpenVZ host (it includes the kernel and vz* tools) and guest (we provide pre-created OpenVZ container templates, and there's "make vztemplate" to build your own ones if you like). CUDA has nothing to do with a server/appliance Linux distro at this time (although I can think of some obscure uses). Since when is Snort deprecated? Anyway, we don't include it, but it can be easily installed on top of Owl.

Yes, local users and pseudo-users. No, this is not limited to academic environments. Think shared web hosting - hundreds or thousands of local users on a system. We're actually setting up Owl-based shared web hosting systems for our clients. Besides the different user accounts belonging to different shared hosting customers, privilege separation between the accounts is also needed because one of the websites may get compromised (via a web app vulnerability) and we would not want such a compromise to easily propagate onto all other websites hosted on the same system (not even if they're of the same customer).

Additionally, even on a dedicated server for a single website (or, say, on a mail server) there are pseudo-users. Even the sshd service from OpenSSH uses a pseudo-user for its built-in privilege separation. This is needed to mitigate the impact of vulnerabilities in certain parts of code in those services (and in libraries that they use). You don't want any vulnerability anywhere in sshd or in parts of libc/libcrypto/libz that it uses (and in a lot of other libraries on riskier Linux distros such as RHEL/CentOS/Fedora - just see "ldd /usr/sbin/sshd" on those and be very scared) to result in a full-blown root compromise. The extra barrier between the less-privileged sub-process (doing lots of things) and the parent root-privileged process (doing fewer things) is of some help. Ditto for other services that implement privilege separation - and this is the kind of service implementations that we include in Owl (OpenSSH, vsftpd, OpenNTPD, Postfix all have privsep implemented upstream; telnetd was missing privsep, but we introduced privsep into it).

owl-control is merely a tool to ease system administration - change settings and have your changes persist over system upgrades. It is one of the nice security-related features of Owl, but it is NOT key to running a reasonable Owl system without SUIDs (this is achieved by other means - SGIDs and changes to various system components). owl-control is not what you thought it was (not a "permissions escalation daemon", but merely a set of scripts).

I do agree with you that we need to present our documentation (such as man pages) in a form more accessible to someone who is not an Owl user yet. The only reason why we did not do that yet is lack of time (small development team working on a mostly non-commercial project, so we constantly have to choose which of the pending tasks we make progress on).

That's poor analysis on your part, so your conclusion is completely wrong. Please refer to our presentation slides for an explanation of how things actually work and why the attacks you describe would not work:

http://www.openwall.com/presentations/Owl/

BTW, the announcement specifically mentioned that "a vulnerability in crontab(1) or at(1) can't result in a root compromise without a vulnerability in crond(8) or in a critical system component relied upon by crond(8)." Did you not read that? Or do you disagree, thereby stating that we're inexperienced in the stuff we've been doing for 10 years?

Since a lot of people are confused just like you are, I'd be happy for any suggestions on how we could explain what we do and what we have achieved better. I did include that quote in the announcement specifically because I knew of common misconceptions about our work, but apparently that was not enough? Thanks!