Forgot your password?
typodupeerror

Comment: Re:Openwall site (Score 1) 122

by gm.outside (#34601522) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
Wanna volunteer? :) Seriously, we wanted to update the site long time ago, but we are not good at web design and our team is too small and quite busy to spend time on something we aren't good at. From the pure technical point of view, the site provides all the necessary information we wanted it to provide. True, there are no whistles and bells, but every bit of info is there. We would appreciate any help with making our site better!

Comment: Re:Dropping SUID doesn't improve security (Score 1) 122

by gm.outside (#34601482) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
Well, why do you want to expose a system to a risk in the first place if you can simply avoid it? There are too many vectors of attack on a transition from a non-privileged account to a more privileged one. BTW, the non-privileged account there for a reason - to do regular stuff on day-to-day basis, this also means that they are likely to be accessed from untrusted places (e.g. internet cafes, other people's computers, etc.). The risk of leaking credentials for such an unprivileged account is quite high. Re: immutable/append-only flags -- you are obviously wrong, chattr -i and chattr -a are your friends to remove these flags in a normal multi-user runlevel, indeed, you need to be root to do it, though.

Comment: Re:/bin/su isn't SUID?! (Score 1) 122

by gm.outside (#34598680) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

If you can't su or sudo, how you get anything done?

This depends on the task. If you are a local user and need root powers - switch your console to a fresh one and login as root. If you were talking about getting root powers on a remote host, the best practice is to ssh as root directly (given that you are behind a trusted terminal).

Comment: Re:/bin/su isn't SUID?! (Score 1) 122

by gm.outside (#34597490) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

Basically if you exploit something with 'shadow' (i.e. passwd) you add a root user account to /etc/passwd and su to it.

This is not true. You can't do anything like this even if you acquire the shadow membership:

server!galaxy:~$ ls -ld /etc/passwd /etc/tcb
-rw-r--r-- 1 root root 3956 2010-06-03 21:08 /etc/passwd
drwx--x--- 99 root shadow 4096 2010-06-03 21:08 /etc/tcb
server!galaxy:~$

and the structure under /etc/tcb/ is also not writable to shadow:

server!root:~# ls -ld /etc/tcb /etc/tcb/galaxy
drwx--x--- 99 root shadow 4096 2010-06-03 21:08 /etc/tcb
drwx--s--- 2 galaxy auth 4096 2009-10-24 04:44 /etc/tcb/galaxy
server!root:~#

Re: crontab -- good luck with hijacking crontab on Owl :). The code was carefully audited for security issues and was hardened against possible abuses.

Comment: Re:/bin/su isn't SUID?! (Score 1) 122

by gm.outside (#34597356) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
No, Fedora are using a different approach. We do not replace SUID/SGID with capabilities, instead we carefully design the system to take advantage of the standard Un*x OS level permissions. JFYI, all this buzz with replacing SUID/SGID binaries emerged from the recently discovered vulnerability (BTW, Owl was among few distributions which wasn't affected by that vulnerability at all), but unfortunately people are often getting things wrong, when it comes to security. Please review the following message that describes some pitfalls along Fedora or Ubuntu's ways: http://www.openwall.com/lists/oss-security/2010/11/08/3 .

Comment: Re:/bin/su isn't SUID?! (Score 1) 122

by gm.outside (#34597274) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
Yes, our distro doesn't encourage users to use su or sudo. The reason is that escalating privileges from a less privileged account to a more privileged account is bad from security standpoint. I found the following message in our mailing list. In this message Solar Designer explains the issue with su/sudo: http://www.openwall.com/lists/owl-users/2004/10/20/6 An excerpt from the above message: "Presently, the only safe use for su is to switch from a more privileged account to a less privileged one (whenever this distinction can be made) in a non-interactive script (without a tty). As soon as a tty is used, there is a security problem. As soon as you su to a more privileged account, there is another security problem." I hope you'd find this useful.

Comment: Re:What is it good for? (Score 1) 122

by gm.outside (#34597232) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
Well, a poorly written script (and there are many of these nowadays) on a web server may allow an execution of an arbitrary process on the server -- so our hardening measures will try protect the system from the inside. Indeed, this is a quick response on your question, feel free to ask if you want me to elaborate further on this topic.

Comment: Re:Rebuild itself? (Score 1) 122

by gm.outside (#34597196) Attached to: Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing
No, officially we don't support ARM, but I have plans to make an ARM build of a stripped down Owl since the number of ARM-based devices is rapidly growing at my home. :) A DSL modem, a NAS box, and a couple of netbooks - all are ARM based. This gives me a lot of temptation to build Owl for ARM. :)
Security

Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing 122

Posted by Soulskill
from the wouldn't-an-open-wall-be-a-gate dept.
solardiz writes "Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of work on the project. Owl is a small, security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in the default install (yet the system is usable, including password changing); and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), 'make iso' & 'make vztemplate' in the included build environment, ext4 by default, xz in tar/rpm/less, 'anti-Debian' key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source."
Security

+ - Openwall Linux 3.0: no SUIDs, anti log spoofing-> 2

Submitted by solardiz
solardiz (817136) writes "Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of the project. Owl is a small security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in default install (yet the system is usable, including password changing) and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), "make iso" & "make vztemplate" in included build environment, ext4 by default, xz in tar/rpm/less, "anti-Debian" key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source."
Link to Original Source
Security

+ - Security-enhanced Linux distro can rebuild itself-> 3

Submitted by iago-vL
iago-vL (760581) writes "Last week, the Openwall Project released the latest build of Openwall GNU/*/Linux (Owl for short) (announcement). This distribution, which has the ability to completely rebuild itself from source, is designed from the ground up to be secure. From source code audits of critical components to advanced privilege separation, secure defaults, and integration of OpenVZ container-based virtualization, Owl makes a great server platform!"
Link to Original Source

Many people write memos to tell you they have nothing to say.

Working...