[devel] Fw: [rsbac] RSBAC & Molnar Ingo's ExecShield
Alexander Bokovoy
=?iso-8859-1?q?ab_=CE=C1_altlinux=2Eorg?=
Пт Дек 10 08:53:46 MSK 2004
JFYI:
(читать сверху вниз).
----- Forwarded message from Deim Agoston <ago на lsc.hu> -----
Date: Mon, 6 Dec 2004 20:06:18 +0100
From: Deim Agoston <ago на lsc.hu>
To: rsbac на rsbac.org
Subject: [rsbac] RSBAC & Molnar Ingo's ExecShield
hi all,
does anybody use both at the same time? As PaX team doesn't seems to
provide "official" stable releases for newer kernels in 2.6 series I
would like to be sure that I have an emergency plan if I have to uprade
kernel and/or os and have to use memory protection against overflows etc.
And I don't want to experience the usage of this combination then.
Any RTFM and experience appreciated.
bye,
Ago
-----------
Deim ?goston
LSC Linux Support Center Kft.
e-mail: deim.agoston на lsc.hu
Tel/fax:06-1/341-0457
_______________________________________________
rsbac mailing list
rsbac на rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
----- End forwarded message -----
----- Forwarded message from Michal Purzynski <albeiro на zeus.polsl.gliwice.pl> -----
Date: Mon, 6 Dec 2004 23:14:32 +0100 (MET)
From: Michal Purzynski <albeiro на zeus.polsl.gliwice.pl>
To: RSBAC Discussion and Announcements <rsbac на rsbac.org>
Subject: Re: [rsbac] RSBAC & Molnar Ingo's ExecShield
On Mon, 6 Dec 2004, Deim Agoston wrote:
> hi all,
>
> does anybody use both at the same time? As PaX team doesn't seems to
> provide "official" stable releases for newer kernels in 2.6 series I
> would like to be sure that I have an emergency plan if I have to uprade
> kernel and/or os and have to use memory protection against overflows etc.
> And I don't want to experience the usage of this combination then.
>
PaX team does not provide official support for 2.6 kernel considering them
unstable development version. Emergency like this - moving from PaX to
ExecShield and back will only calm down you but will not provide any
security. That is because ExecShield protections can be bypassed and ways
of doing this are known. It is advised to stay with stable series (2.4
kernels) on most important machines.
Albeiro
_______________________________________________
rsbac mailing list
rsbac на rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
----- End forwarded message -----
----- Forwarded message from Deim Agoston <ago на lsc.hu> -----
Date: Tue, 7 Dec 2004 08:12:17 +0100
From: Deim Agoston <ago на lsc.hu>
To: RSBAC Discussion and Announcements <rsbac на rsbac.org>
Subject: Re: [rsbac] RSBAC & Molnar Ingo's ExecShield
Michal Purzynski <albeiro на zeus.polsl.gliwice.pl> irta:
> PaX team does not provide official support for 2.6 kernel considering them
> unstable development version. Emergency like this - moving from PaX to
I know it. One of my friends, GCS - gcs aT lsc DoT hu - migrates the
grsecurity+ pax patches to debian kernels. He and the Hungarian guy
change emails so more or less I know the reasons why the newer 2.6
kernels lack the support of pax. But that's not me who is in question
but our partners.
> ExecShield and back will only calm down you but will not provide any
> security. That is because ExecShield protections can be bypassed and ways
> of doing this are known. It is advised to stay with stable series (2.4
> kernels) on most important machines.
Oh, yes but if you work with RH Enterpise versions - I suspect you do so
- you have to know what's the official statements of RH support: you can
not patch there official enterprise kernels. (you loose official support
and some kind of CTO needs to know that they have official support from
some kind of sw vendor) That's one of the reasons
why I didn't release any comaprsions of SELinux and RSBAC and grsecurity.
(other reason is that it turned out that our partner considered it
"dangerous if anybody has the possibility to figure out what versions of
software they use and how" - stupidity but money talks, so it stood
on-site)
<lament>
If our partner says he need some kind of security
and read something about SELinux and ExecShield in the leaflets from
RH than I have to use ExecShield and SELinux. And if I have to use
execshield I don't want to duplicate my efforts so I would stay with
it with the RSBAC patched of kernels if it's released more often and the
partners need some kind of memory protection along with 2.6.x kernel.
Again: money talks. The engineer can advise but he doesn't decide.....
Ok, it has the advantege that you don't have to provide any
responsibility and you can write it down in your contract. </lament>
bye,
Ago
>
> Albeiro
>
> _______________________________________________
> rsbac mailing list
> rsbac на rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
--
-----------
Deim ?goston
LSC Linux Support Center Kft.
e-mail: deim.agoston на lsc.hu
Tel/fax:06-1/341-0457
_______________________________________________
rsbac mailing list
rsbac на rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
----- End forwarded message -----
----- Forwarded message from Michal Purzynski <albeiro на zeus.polsl.gliwice.pl> -----
Date: Tue, 7 Dec 2004 13:03:06 +0100 (MET)
From: Michal Purzynski <albeiro на zeus.polsl.gliwice.pl>
To: RSBAC Discussion and Announcements <rsbac на rsbac.org>
Subject: Re: [rsbac] RSBAC & Molnar Ingo's ExecShield
On Tue, 7 Dec 2004, Deim Agoston wrote:
> Oh, yes but if you work with RH Enterpise versions - I suspect you do so
i am quite happy person using Gentoo Hardened and Adamantix in produciton
- but that was where i could decide.
> If our partner says he need some kind of security
> and read something about SELinux and ExecShield in the leaflets from
> RH than I have to use ExecShield and SELinux. And if I have to use
> execshield I don't want to duplicate my efforts so I would stay with
> it with the RSBAC patched of kernels if it's released more often and the
> partners need some kind of memory protection along with 2.6.x kernel.
> Again: money talks. The engineer can advise but he doesn't decide.....
> Ok, it has the advantege that you don't have to provide any
> responsibility and you can write it down in your contract. </lament>
yes i see how difficult situation you have. redhat makes money and
"security" they included is only for marketing. because implementing PaX
and some other MAC systems would need much effort from they engineers they
gone easy way writing they own solution - easy to use but not necesesary
secure. and now they can write that "we already have memory protection
and access control", go with us. definitely they are only about making
money.
oh, btw - try to run some suid app with LD_DEBUG=all -> most easy way to
get necesary offsets needed to exploit application. while this is clear
security flaw (glibc information leaking) they always refused to patch it,
even beeing offered patches. and this is only one of many problems with
redhat.
ok, but since you do have to use it - i see no problem, it should work,
you may have to patch it a bit by hand (do not know how much of
execshield gone into mainstream kernels).
Albeiro
_______________________________________________
rsbac mailing list
rsbac на rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
----- End forwarded message -----
--
/ Alexander Bokovoy
Samba Team http://www.samba.org/
ALT Linux Team http://www.altlinux.org/
Midgard Project Ry http://www.midgard-project.org/
Подробная информация о списке рассылки Devel