Who is interested in stack protection?
I think it would be good to have some experiments of stack protected packages
for Debian. Probably the best way to do this would be to start with
ssh-stack and sysklogd-stack being uploaded to experimental. I don't have
time to do this, but I would
On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> Who is interested in stack protection?
>
> I think it would be good to have some experiments of stack protected packages
> for Debian. Probably the best way to do this would be to start with
> ssh-stack and syskl
On Thu, 21 Aug 2003 14:56, Brian May wrote:
> On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> > Who is interested in stack protection?
> >
> > I think it would be good to have some experiments of stack protected
> > packages for Debian. Probably the b
On Thu, 21 Aug 2003, Russell Coker wrote:
> Who is interested in stack protection?
> I think it would be good to have some experiments of stack protected packages
> for Debian.
> Also is there any interest in uploading a kernel-image package with the grsec
> PaX support built in?
On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> Major issues for a ro-/ are maybe:
> - using devfs for /dev (kernel 2.4 and package devfsd installed)
Devfs is getting less support now, it might not be the best time to start
depending on it.
--
http://www.coker.com.au/selinux/ My NSA Security
.html
for details.
There are other stack protection mechanisms too, but propolice seems the most
popular. Some investigation would need to be done into the relative merits
of the various options (propolice has much better support apparently which
will be a major factor).
I think ProPolice is the
Xavier Roche <[EMAIL PROTECTED]> writes:
> On Thu, 21 Aug 2003, Russell Coker wrote:
> Major issues for a ro-/ are maybe:
> - using devfs for /dev (kernel 2.4 and package devfsd installed)
Alternatively you can copy /dev to a ramdisk.
And please don't use devfsd. That somewhat cancles out half of
Russell Coker <[EMAIL PROTECTED]> writes:
> Devfs is getting less support now, it might not be the best time to start
> depending on it.
Indeed, it's looking likely that GregKH's `udev' will replace devfs
sometime in the future.
[It was amusing to see Christoph Hellwig's recent patch on the lkml
Hi
On Thu, Aug 21, 2003 at 02:56:34PM +1000, Brian May wrote:
> On Thu, Aug 21, 2003 at 12:57:06PM +1000, Russell Coker wrote:
> > Who is interested in stack protection?
x86 only? Pro police is the most platform independent iirc.
> > I think it would be good to have some exper
On Thu, 21 Aug 2003 19:13, Stefan Gybas wrote:
> However, ProPolice has not been ported to all architectures yet, see
> http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html
> for details.
Not being ported to all architectures is not a problem IMHO.
Such stack protecti
> Who is interested in stack protection?
I am.
>I think it would be good to have some experiments of stack protected packages
>for Debian. Probably the best way to do this would be to start with
>ssh-stack and sysklogd-stack being uploaded to experimental. I don't have
>
Russell Coker wrote:
On Thu, 21 Aug 2003 19:13, Stefan Gybas wrote:
However, ProPolice has not been ported to all architectures yet, see
http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html
for details.
Not being ported to all architectures is not a problem IMHO.
Such stack
Op do 21-08-2003, om 09:49 schreef Russell Coker:
> On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> > Major issues for a ro-/ are maybe:
> > - using devfs for /dev (kernel 2.4 and package devfsd installed)
>
> Devfs is getting less support now, it might not be the best time to start
> depending
On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> Russell Coker <[EMAIL PROTECTED]> writes:
> > Devfs is getting less support now, it might not be the best time to start
> > depending on it.
>
> Indeed, it's looking likely that GregKH's `udev' will replace devfs
> sometime in the fut
On Thu, 21 Aug 2003 22:41, Brian May wrote:
> On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> > Russell Coker <[EMAIL PROTECTED]> writes:
> > > Devfs is getting less support now, it might not be the best time to
> > > start depending on it.
> >
> > Indeed, it's looking likely that Gr
On Aug 21, Xavier Roche <[EMAIL PROTECTED]> wrote:
>- using devfs for /dev (kernel 2.4 and package devfsd installed)
devfs will probably disappear. It's better to look at udev (which I'm
packaging).
>- transforming several /etc files as symlinks and moving them to some
>other place (/var/etc ?
On Thu, Aug 21, 2003 at 10:41:16PM +1000, Brian May wrote:
> > Indeed, it's looking likely that GregKH's `udev' will replace devfs
> > sometime in the future.
>
> Dare I ask the obvious question: what is udev? Why is it better then
> devfs?
It's mostly in user-space, lighter-weight, and more conf
.
Such stack protection should not be relied on, it's just there to make
automated attacks much more difficult. As i386 is the target for
almost all of the automated attacks merely supporting i386 will do
most of the good that such a tool can do.
As for Adamantix people helping out, they ha
Russell Coker <[EMAIL PROTECTED]> writes:
> On Thu, 21 Aug 2003 22:41, Brian May wrote:
> > On Thu, Aug 21, 2003 at 07:16:46PM +0900, Miles Bader wrote:
> > > Russell Coker <[EMAIL PROTECTED]> writes: > Devfs is getting
> > > less support now, it might not be the best time to > start
> > > dependi
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> Op do 21-08-2003, om 09:49 schreef Russell Coker:
> > On Thu, 21 Aug 2003 17:39, Xavier Roche wrote:
> > > Major issues for a ro-/ are maybe:
> > > - using devfs for /dev (kernel 2.4 and package devfsd installed)
> >
> > Devfs is getting less support
On Fri, Aug 22, 2003 at 03:35:04AM +0200, Goswin von Brederlow wrote:
> > A paper on udev was presented at OLS this year, at the URL below you
> > can find a copy in PDF format. Basically it is a way of providing
> > some of the features of devfs but based around using hotplug to
> > create device
On Thu, Aug 21, 2003 at 10:57:17PM +1000, Russell Coker wrote:
> http://archive.linuxsymposium.org/ols2003/Proceedings/
>
> As for why it's better than udev. There have been bugs in devfs in the past
> related to race conditions. Also devfs requires that the kernel knows about
> all the device
On Fri, 22 Aug 2003 11:35, Goswin von Brederlow wrote:
> > A paper on udev was presented at OLS this year, at the URL below you
> > can find a copy in PDF format. Basically it is a way of providing
> > some of the features of devfs but based around using hotplug to
> > create device nodes using mk
On Thu, 21 Aug 2003 22:38, rintek wrote:
> > As for Adamantix people helping out, they haven't even posted to this
> > mailing list yet, so I have no great expectations for them to help in
> > future.
>
> Please have a look at your email
Yes, I lived in the Netherlands for 2 years of the time I sp
Russell Coker <[EMAIL PROTECTED]> writes:
> On Fri, 22 Aug 2003 11:35, Goswin von Brederlow wrote:
> > > A paper on udev was presented at OLS this year, at the URL below
> > > you can find a copy in PDF format. Basically it is a way of
> > > providing some of the features of devfs but based aroun
On Fri, Aug 22, 2003 at 11:39:21AM +0200, Goswin von Brederlow wrote:
> Which means you need about 100 device nodes so you can boot of any
> of the 65536 disks you could have connected?
Why?
The kernel currently has hardcoded logic to convert the root=... string
into a major,minor number, it
Brian May <[EMAIL PROTECTED]> writes:
> On Fri, Aug 22, 2003 at 11:39:21AM +0200, Goswin von Brederlow wrote:
> > Which means you need about 100 device nodes so you can boot of any
> > of the 65536 disks you could have connected?
>
> Why?
>
> The kernel currently has hardcoded logic to conve
* Goswin von Brederlow ([EMAIL PROTECTED]) [030822 22:15]:
> Depending on the size of udev it might be on the initrd or not.
> If its not then you need a lot of /dev entries to mount the real root
> device and get udev started or a extra script that created node on the
> fly from /proc/something.
On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> Note that some options are sometimes incompatible with some packages:
> restrictions on kmem ('Deny writing to /dev/kmem, /dev/mem, and
> /dev/port') prevent lm_sensors from working properly with my server. But
"cat /dev/zero > /dev/m
On Fri, Aug 22, 2003 at 10:05:13PM +0200, Goswin von Brederlow wrote:
> Depending on the size of udev it might be on the initrd or not.
> If its not then you need a lot of /dev entries to mount the real root
> device and get udev started or a extra script that created node on the
> fly from /proc/s
On Sat, 23 Aug 2003 07:02, Milan P. Stanic wrote:
> On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> > Note that some options are sometimes incompatible with some packages:
> > restrictions on kmem ('Deny writing to /dev/kmem, /dev/mem, and
> > /dev/port') prevent lm_sensors from wor
On Sat, Aug 23, 2003 at 03:13:25PM +1000, Russell Coker wrote:
> On Sat, 23 Aug 2003 07:02, Milan P. Stanic wrote:
> > On Thu, Aug 21, 2003 at 09:39:53AM +0200, Xavier Roche wrote:
> > > Note that some options are sometimes incompatible with some packages:
> > > restrictions on kmem ('Deny writing
On Sat, Aug 23, 2003 at 11:36:04AM +0200, Milan P. Stanic wrote:
| > Allowing the dhcp server to write to /dev/mem because it's UID 0 and Unix
| > security sucks is a bug.
|
| The problem isn't with UID 0, but with bugs in software.
No. The problem is an insecure design that forces the DHCP se
Brian May <[EMAIL PROTECTED]> writes:
> On Fri, Aug 22, 2003 at 10:05:13PM +0200, Goswin von Brederlow wrote:
> > Depending on the size of udev it might be on the initrd or not.
> > If its not then you need a lot of /dev entries to mount the real root
> > device and get udev started or a extra scr
* Milan P. Stanic ([EMAIL PROTECTED]) [030823 11:50]:
> On Sat, Aug 23, 2003 at 03:13:25PM +1000, Russell Coker wrote:
> > Allowing the system administrator to write to /dev/mem as part of debugging
> > the kernel is a feature.
> UID 0 must have rights to do everything. root can "format" filesyst
lly it will
not be possible to successfully attack you unless holes are found in all
levels simultaneously, which is a much more difficult and less likely event.
Writing quality software is good. Having stack protection is good too (the
original topic of this thread). But it still doesn't
ling in the moat and smashing the outer walls would not let
> an attacker win.
"Denial of Service" was the most successful method to defeat it. :-)
[...]
> Writing quality software is good. Having stack protection is good too (the
> original topic of this thread). But it stil
to defeat it. :-)
True. But DOS attacks are easy to implement on any system regardless of how
it's secured. In a castle the occupants would starve to death if they were
under siege for long enough, that isn't going to happen to your Linux server.
> > Writing quality software is
. We want to give them a choice of all of
> the above.
I'm not against choice, I just don't like idea that that stack
protection and similar code could become "mainstream" one day.
P.S.
I appreciate you contribution to Linux (and Debian) security a lot,
and I play with *your* SE Linux host when I have time.
above.
>
> I'm not against choice, I just don't like idea that that stack
> protection and similar code could become "mainstream" one day.
Properly designed the stack protection, array bounds checking and
pointer validating routines can be put into queue slots that woul
ay that
> > > putting limits in the (our loved (Debian)/Linux) is not good thing,
> > > IMO.
> >
> > Why is it a limit? We are not talking about making any of these
> > mandatory for Debian users. We want to give them a choice of all of
> > the above.
>
>
we
have it now in Debian (due to Your effort), but this isn't solution.
[ OK, I'm going to think that we never will have secure system because
absolute security is against nature. ]
[...]
> > I'm not against choice, I just don't like idea that that stack
> > protectio
* Milan P. Stanic ([EMAIL PROTECTED]) [030825 16:50]:
> On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> > On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > > cron,
> > >
> > > Maybe someone else
"Milan P. Stanic" <[EMAIL PROTECTED]> writes:
> On Mon, Aug 25, 2003 at 04:14:12PM +1000, Russell Coker wrote:
> > On Mon, 25 Aug 2003 07:48, Milan P. Stanic wrote:
> > > > Also I don't expect DJB to write replacements for dhcpd, dhclient, ftpd,
> > > > cron,
> > >
> > > Maybe someone else should
On Mon, 25 Aug 2003, Milan P. Stanic wrote:
> There are some of them: vsftpd, pure-ftpd, udhcp, uschedule ... to
> note just some. They are not 100% secure, but they are more secure
> than software written by ISC.
I'm personally only really familiar with ISC's dhcpd3-server, but have
you even read
On Mon, Aug 25, 2003 at 10:56:38AM -0700, Don Armstrong wrote:
> I'm personally only really familiar with ISC's dhcpd3-server, but have
> you even read the code written by Ted Lemon? Just randomly slandering
> programmers when you are not intimately familiar with their code isn't
> something that s
On Mon, 25 Aug 2003, Milan P. Stanic wrote:
> So, I think I'm not slandering them or at least that isn't my
> intention. I apologize if I did.
Slander wasn't the correct word. It's just not a good idea to malign a
whole set of coders and programs without solid reasoning behind it.
>> As far as I
X apply to them. So if you suddenly have to support a program that
does not work with your stack protection scheme then you just flip a bit in
the ELF header and it'll work fine!
The only problem you might have is users on a multi-user system putting their
own binaries in their home
Marco d'Itri <[EMAIL PROTECTED]> writes:
> On Aug 21, Xavier Roche <[EMAIL PROTECTED]> wrote:
>
> >- using devfs for /dev (kernel 2.4 and package devfsd installed)
> devfs will probably disappear. It's better to look at udev (which I'm
> packaging).
Could you give a quick overview about how to
-shield=1 ?
O.
On Thu, 2003-08-21 at 04:57, Russell Coker wrote:
> Who is interested in stack protection?
>
> I think it would be good to have some experiments of stack protected packages
> for Debian. Probably the best way to do this would be to start with
> ssh-stack and sysklog
On Aug 22, Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
>I'm basically just intrested in whats needed in /dev/ to get udev
>started and what userspace tools udev needs on a initrd.
Whatever is already needed to make your system boot.
So far udev will only create nodes for plug and play device
51 matches
Mail list logo
