Security Holes Draw Linux Developers' Ire 477
jd writes "In what looks to be a split that could potentially undermine efforts to assure people that Linux is secure and stable, the developers of the GRSecurity kit and RSBAC are getting increasingly angry over security holes in Linux and the design of the Linux Security Modules. LWN has published a short article by Brad Spengler, the guy behind GRSecurity and it has stoked up a fierce storm, with claims of critical patches being ignored, good security practices being ignored for political reasons, etc. Regardless of the merits of the case by either side, this needs to be aired and examined before it becomes more of a problem. Especially in light of the recent kernel vulnerability debated on Slashdot."
Re:Interesting point of view (Score:5, Informative)
Re:linux vs ??? (Score:5, Informative)
OpenBSD [openbsd.org] has implemented security [openbsd.org] similar to grsecurity. Note that this is part of OpenBSD operating system, so the user does not need to do anything to use it. Contrast this to grsecurity that is a set of patches against Linux kernel.
As far as I know, only Gentoo and Mandrake supports grsecurity.
Re:Interesting point of view (Score:5, Informative)
Re:Time for (even) better security? (Score:5, Informative)
Re:Ok, so where are the patches? (Score:2, Informative)
Re:Ok, so where are the patches? (Score:4, Informative)
Patches are here (Score:3, Informative)
>Is there a patch to uselib() bug ->
>> http://www.isec.pl/vulnerabilities/isec-0021-usel
Date: Sun, 09 Jan 2005 17:28:35 +0100
From: Henrik Persson
To: Breno Silva Pinto
Cc: linux-kernel@vger.kernel.org
Subject: Re: patch to uselib()
It's patched in 2.4.29-rc1 and 2.6.10-ac6. A patch for 2.4 can also be found here:
http://marc.theaimsgroup.com/?l=linux-kern
and for 2.6:
http://marc.theaimsgroup.com/?l=linux-kerne
Browsing the archives usually gives you alot of answers, you know.
----------------
Cut-n-pasted from the LKML
wow... (Score:4, Informative)
Re:Time for (even) better security? (Score:4, Informative)
andy
Re:linux vs ??? (Score:1, Informative)
The Grsecurity has also superior learning mechanisms for ACLs. It is really easy to get the most constraining set of ACLs with which the software still works for the system. Take a look at the process.
Grsecurity also has lot's of things that can be ACL'ed. What OpenBSD has is good mkay but it has had several security problems such as constant canaries in the kernel. (Fixed couple months ago.) It's a lot simpler actually. (But yes, working.)
Re:Start over, basing on OpenBSD for a change... (Score:3, Informative)
Re:Time for (even) better security? (Score:4, Informative)
same feeling with S-ATA (Score:5, Informative)
Re:Time for (even) better security? (Score:3, Informative)
This does not involve rebooting production servers after any and all changes "just in case" which is what the original poster was indicating when he said that an uptime of more than a couple of months indicated poor skills.
If the change is one that would reasonably have some affect on startup procedures, then startup is tested. It is tested first in our development environment, then in our staging and disaster-recovery environments. By this stage I will know weather my changes are volatile or not, and I will know what needs to be done to ensure the change works correctly. I don't need to reboot my production servers to answer that question.
Re:Time for (even) better security? (Score:3, Informative)
He's a hypocrite to complain about how linux needs to be organized to receive patches, when he is himself ignoring the protocols already in place to deal with the problem.
Imagine what would happen if linus had to personally look at every email about the kernel - nothing wold get done.
Actually (Score:1, Informative)
I will say, however, that taking the average monthly vulnerabilities for any given Linux distro + kernel and comparing to Windows yields surprising results. About the same ore more vulnerabilities exist in Linux distro apps than on a typical Windows installation. See http://www.linuxsecurity.com/advisories [linuxsecurity.com] and compare for yourself.
The point is that we're all humans making software, so we're all prone to the same mistakes. Both systems are inherently insecure to the same degree, but Windows is used so much more that holes are widely reported.
You complain when trolls pop up and say "Ha ha!" to Linux vulnerabilities, but look at a Windows vulnerability article on Slashdot sometime and you'll find 90% of the discussion follows those very lines. Some people genuinely enjoy Microsoft technology and use it daily, so it's a little healthy schadenfreude when it's pointed out that, hey, Linux isn't the 100% flawless Golden Warrior it's made out to be. It's a dangerous mindset to have anyway--it makes you overlook things. Which seems to be the case in this LWN article.
Re:Grsecurity is for real? (Score:2, Informative)
Personally, I switched from grsecurity to SELinux [nsa.gov] shortly after the incident linked above. While Brad may in fact be quite skilled, I've simply lost trust in him and, by extension, his project.
Re:You're basically right, but... (Score:3, Informative)
1. The client connects to the file server with the SMB protocol to start a session and to establish the client's identity in the form of a token [microsoft.com].
Authentication of the client's identity is handled by a LSA authentication module such as samsrv.dll for the local user database, msv1_0.dll for an NTLM domain or kerberos.dll for a kerberos domain (2000 or later). The security token is generated by one of these packages and passed along to the SMB server at impersonation level [microsoft.com]. If the client doesn't explicitly log on, he gets an anonmyous [microsoft.com] token. In any case, the session must have a security token associated with it to proceed.
2. Before accessing anything on behalf of the client, the thread servicing the request impersonates [microsoft.com] the client using their token. Instead of using the process's access level for access, the client's token is used. At the kernel level.
See this [microsoft.com] page about SMB authentication; it's written for NT3.x.
See also Security Subsystem Architecture [microsoft.com], although for Win2k, the architecture really hasn't changed that much; just expanded to include Active Directory.
Re:Right on! (Score:3, Informative)
True, 2.4 was an absolute nightmare up to around 2.4.16 as you said. The difference from then to now is, as I see it, that there were a few well focused attempts at solving that one huge problem, and then there was the general bugfixing going on meanwhile. Today, you have some general bugfixing going on, but all while that is happening, lots and lots of new features are added - core parts are touched in places where they (evidently) do not like to be touched, so to speak.
Sure, nobody (in their right mind) expected 2.6.0 to be bug free or even close. But I at least had an expectation that a stable 2.6 was the goal and the direction in which development would be going.
Again, I'm sure it will eventually. But until it does, for some uses 2.6 is just unusable.
(all is not bad; for example, my mother is using 2.6 on her desktop, and the hot-plugging works great - a lot of very good things are in 2.6, but for us people who need machines to have uptimes of more than 8 hours under heavy load, it's just not really good enough).
Re:No holes in default install due to no services (Score:3, Informative)
Time with some corrections for a default OpenBSD install ;-) First fingerd is not started, and has not for quite some time. Sendmail is started, but only listen on localhost. From OpenBSD 3.6 you get the question during install if you want to enable sshd. Via inetd is the following enabled : ident, comsat (mail submission), daytime and time. syslog is enabled, but don't listen on UDP by default.