Re: Security warning for kernel upgraders
On Mon, 2006-05-29 at 14:56 +0200, Johannes Winkelmann wrote:
What's the upstream status of this? If there's no chance this patch ever gets accepted, I'd vote to revert it. It's an unnatural choice for CRUX to ship modified core utilities, especially since it's easy enough to create an alias, use a modified port
I agree, but when it comes to security, behaving like upstream does comes in second.
or - in this particular case - do as the kernel guys say and uncompress/compile the kernel as non-root user.
Mind you, this applies to all tarballs, not only the ones from kernel.org. If this is reverted, at least pkgmk should use --no-same-permissions --no-same-owner when extracing sources. Also, if it's that insane to extract and compile as root, why is it still the official way to build all software on CRUX? ;)
However, if this is going to be integrated by the GNU tar devs at some point in time, I think it's valid to keep it in. So what's the status here?
I personally doubt it, they probably consider it a feature over a bug (since the default is to not retain permissions, the insane behaviour is only applied if you run tar as root.)
Hi, Thanks for moving it to the right list :-) On Mon, May 29, 2006 at 15:51:00 +0200, Mark Rosenstand wrote:
On Mon, 2006-05-29 at 14:56 +0200, Johannes Winkelmann wrote:
What's the upstream status of this? If there's no chance this patch ever gets accepted, I'd vote to revert it. It's an unnatural choice for CRUX to ship modified core utilities, especially since it's easy enough to create an alias, use a modified port
I agree, but when it comes to security, behaving like upstream does comes in second. I agree, and I'm all for addressing issues triggered by GNU tar's behaviour e.g. in pkgmk.
However, CRUX is in no way a hardened distribution right now, and this patch doesn't change that [1]. Therefore, this isolated change just feels inconsistent. If we promote a different patch policy in the future, that's fine with me, but for now, it seems to be a bad compromise (breaking compatibility for very little added security overall). Regards, Johannes Notes: 1. That's not saying I'm against hardening in general -- Johannes Winkelmann mailto:jw@smts.ch Zurich, Switzerland http://jw.smts.ch
On Mon, 2006-05-29 at 16:20 +0200, Johannes Winkelmann wrote:
On Mon, May 29, 2006 at 15:51:00 +0200, Mark Rosenstand wrote:
On Mon, 2006-05-29 at 14:56 +0200, Johannes Winkelmann wrote:
What's the upstream status of this? If there's no chance this patch ever gets accepted, I'd vote to revert it. It's an unnatural choice for CRUX to ship modified core utilities, especially since it's easy enough to create an alias, use a modified port
I agree, but when it comes to security, behaving like upstream does comes in second. I agree, and I'm all for addressing issues triggered by GNU tar's behaviour e.g. in pkgmk.
However, CRUX is in no way a hardened distribution right now, and this patch doesn't change that [1]. Therefore, this isolated change just feels inconsistent. If we promote a different patch policy in the future, that's fine with me, but for now, it seems to be a bad compromise (breaking compatibility for very little added security overall).
Point taken :)
1. That's not saying I'm against hardening in general
Could make a nice sub-project in the form of a core/opt overlay. Han? Others interested?
On Mon, 29 May 2006 22:02:54 +0300, Mark Rosenstand <mark@borkware.net> wrote: Hi, Mark!
Could make a nice sub-project in the form of a core/opt overlay. Han? Others interested?
It's a very-very nice thing. I thought a couple of times to make a modified version of CRUX like Gentoo Hardened or similar [1]. However, the fact is that i'm satisfied with the current mainstream CRUX fully. So I'll prefer to not move fast this way. It already suits my needs best among all that distrozoo and all the rest I can do by myself :). This is way I like. However I think this is up to users who need it. As soon as different people need different security enhancements, it's difficult to make such a distro with a CRUX-flavour. Of course it's not that I'm against it! I'm all for it! [1] http://www.gentoo.org/proj/en/hardened/ -- Oleksiy
Oleksiy V. Khilkevich wrote:
It's a very-very nice thing. I thought a couple of times to make a modified version of CRUX like Gentoo Hardened or similar [1]. However, the fact is that i'm satisfied with the current mainstream CRUX fully. So I'll prefer to not move fast this way. It already suits my needs best among all that distrozoo and all the rest I can do by myself :). This is way I like.
In the past few months, I've started using Crux 2.2 with a *lot* of custom packages on some production servers. Its working really well, so far, and we've been developing some tools to make installations and configurations easier. It's a lot of work to get the custom packages done the way that we need them, but it's the kind of work that you only have to do once (go Crux!). I think that there might be some overlap between your goals of hardening the default installation and some of our tweaks. Some of the significant changes: - swapping out sysklogd for syslog-ng; - installing user/group accounts for daemons that can run with reduced privileges, and using them; - beefing up init scripts to handle chrooting more easily; - lots and lots of configuration changes to make various daemons more "crux-ish" in their behavior and file placement; - extensive post-install scripts to create ready-to-go setups; Some of these changes support each other: using daemon accounts wherever possible makes chrooting much more effective (a root process on Linux can break out of a chroot jail, unfortunately), and having everything work through syslog-ng makes the chroot setups easier to manage. I have also considered implementing: - a lot of the additions from the Hardened LFS project, which I believe overlaps heavily with hardened Gentoo; - PAM support, which I believe has made it into the latest Crux64; These last two are waiting on free time, which is in short supply. Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. -Ryan
Ryan B. Lynch wrote:
I think that there might be some overlap between your goals of hardening the default installation and some of our tweaks. Some of the significant changes:
- swapping out sysklogd for syslog-ng; - installing user/group accounts for daemons that can run with reduced privileges, and using them; - lots and lots of configuration changes to make various daemons more "crux-ish" in their behavior and file placement; - extensive post-install scripts to create ready-to-go setups;
Relatively to user accounts - I think it is possible to not branch the tons of ports just in order to add post-install scripts. Maybe some sort of 'hardening' script for every port is enough. Say - add user and change the configuration file as needed. The changes should be very transparent to the end-users in order to give them the choice :). Besides we can make such scripts interactive, where needed. This way hardening will be an optional step for normal CRUX. As for making the behaviour of daemons more cruxish - i didn't fully get the point. Do you mean some sort of file system hierarchy recommendation?
I have also considered implementing:
- a lot of the additions from the Hardened LFS project, which I believe overlaps heavily with hardened Gentoo; - PAM support, which I believe has made it into the latest Crux64;
That's a must I think. For server-grade CRUX PAM brings a lot of flexibility.
Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. Would be great to participate.
-- Oleksiy
On Fri, 09 Jun 2006 09:31:15 +0300 "Oleksiy V. Khilkevich" <grim@asu.ntu-kpi.kiev.ua> wrote:
Ryan B. Lynch wrote:
I think that there might be some overlap between your goals of hardening the default installation and some of our tweaks. Some of the significant changes:
- swapping out sysklogd for syslog-ng; - installing user/group accounts for daemons that can run with reduced privileges, and using them; - lots and lots of configuration changes to make various daemons more "crux-ish" in their behavior and file placement; - extensive post-install scripts to create ready-to-go setups;
Relatively to user accounts - I think it is possible to not branch the tons of ports just in order to add post-install scripts. Maybe some sort of 'hardening' script for every port is enough. Say - add user and change the configuration file as needed. The changes should be very transparent to the end-users in order to give them the choice :). Besides we can make such scripts interactive, where needed. This way hardening will be an optional step for normal CRUX.
I have some semi-unified not-so-dumb post-install scripts adding additional users for some ports. As I can remember, Mark Rosenstand wanted to unify post-install stuff. Seems to be a good place to start: for example provide a port containing several useful bash functions, define a few variables and allow port maintainers to source them from post-install...
As for making the behaviour of daemons more cruxish - i didn't fully get the point. Do you mean some sort of file system hierarchy recommendation?
And adding some simple checks like pid-file presence, and avoiding complex stuff?
I have also considered implementing:
- a lot of the additions from the Hardened LFS project, which I believe overlaps heavily with hardened Gentoo; - PAM support, which I believe has made it into the latest Crux64;
I hope it was not PAM, who killed it (http://crux.danm.de/).
That's a must I think. For server-grade CRUX PAM brings a lot of flexibility.
Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. Would be great to participate.
I'd like to make something useful too. -- Mikhail Kolesnik ICQ: 260259143 IRC: mike_k at freenode/#crux, rusnet/#yalta Jabber: mike_k@jabber.lafox.net NIC handle: MKK83-UANIC
Hi Ryan, On Thu, Jun 08, 2006 at 15:45:00 -0400, Ryan B. Lynch wrote: [...]
In the past few months, I've started using Crux 2.2 with a *lot* of custom packages on some production servers. [...] Anyway, we don't have a package repository set up, yet, but I'm thinking of publishing one along with the documentation describing what we're doing with Crux. If anyone is interested, please let me know, and I'll notify the list when it goes live. Please do so, I'm sure many people will be interested, and depending on how general those notes are they might make a good addition to our wiki, kind of a "best practises for running crux on servers" document.
Regards, Johannes -- Johannes Winkelmann mailto:jw@smts.ch Zurich, Switzerland http://jw.smts.ch
participants (5)
-
Johannes Winkelmann
-
Mark Rosenstand
-
Mikhail Kolesnik
-
Oleksiy V. Khilkevich
-
Ryan B. Lynch