|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] Will SuSE support stack smashing protection one day?
From: Philippe Vogel (filiaap
freenet.de)
Date: Wed Dec 29 2004 - 12:13:47 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
Another way to secure a system is to use role based access control on
kernel-basis:
http://grsecurity.org/
Before anybody says a word to this have a look at it before giving any
argumentation against it.
This is done with capabilities (like on SuSE with compardment) and some
other techniques (it's a kind of "distribution" of multiple kernelpatches
including an iptables-patch and even sone stack-protections - look at the
link "features").
Capabilities set accessrights on kernel-basis (role based access control
uses this technique based on rulesets). Is a right removed nobody can unset
it, even as root. This means e.g. editing of a file or opening of a socket
is only allowed to what is setup in the rules.
O.K. SSP or stackoverflow protection is a nice feature but easy to be
bypassed. AFAIK every security setup can be bypassed, because all code is
written as a software and software will ever be exploitable. Role based
access control gives you extra security and stackoverflow protection gives
you some more security. The price you have to pay is, that the
administration of such a system is more difficult and error searching will
be more complicated (especiall if you develope whatever software under such
a system).
Notice:
This software needs much investigation in how to setup it. The config always
depends on the filelocation which is unique in every distribution. If you
don't know what you need to do, you shouldn't use this. A false setup may
alter your system and lock you out without any access to anything. If you
want to gain the whole benefits you always need the newest patches for it.
Reguards
Philippe
P.S.: As was said it isn't a must-have-feature and "should" be included as a
bonus package. Everybody has his own idea of how to setup a system and this
is not a must-have. It would be nice, if someday someone at SuSE includes
this software into their distribution (as an optional feature).
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]