1 |
Hi All, |
2 |
On нд, 2004-09-26 at 03:58, Jason Wever wrote: |
3 |
> On Sat, 25 Sep 2004 19:26:26 +0200 |
4 |
> Bart Lauwers <blauwers@g.o> wrote: |
5 |
> |
6 |
> > Having read the whole thread here are some I feel important points to be |
7 |
> > made: 1) Safety is important, it should be our aim to have our default |
8 |
> > system as secure as it possibly could be. Just look at the reviews some |
9 |
> > OS providers get over security. A good computer system should be |
10 |
> > protected against bad code as much as possible. |
11 |
> |
12 |
> Then shut it off, unplug it from the wall, permanently erase all data and |
13 |
> then eject the physical components into the sun. Otherwise you will |
14 |
> always be at some form of security risk, know or unknown. |
15 |
> |
16 |
> Also make sure you don't get the Operating System confused with the extra |
17 |
> software provided. 99% of all software on your installation is not part |
18 |
> of the Operating System. If you plan on making Gentoo accountable for |
19 |
> that, I hope you have an army of developers waiting in the wings. |
20 |
> |
21 |
I think both are right but no common point still. |
22 |
> > 2) The risk is real and errors against this seem common. |
23 |
> |
24 |
> Sure, there is risk in almost everything too. However just because |
25 |
> driving an automobile can be dangerous doesn't mean I'll buy a tank or |
26 |
> stay inside just to feel safe. |
27 |
> |
28 |
According to some statistics presented here before 1/3 of vuln. are due |
29 |
to stack overflow attacks. Fact. Confirm? |
30 |
> > 3) A good housefather does not leave the front door of any home open at |
31 |
> > |
32 |
> > night. |
33 |
> |
34 |
> See reply to 1. |
35 |
> |
36 |
Again a matter of balance, security vs stability/usability |
37 |
> > 4) Protection is possible/available (to a degree) at system level. |
38 |
This is a point that i'm more interested in. |
39 |
Just some facts (mine of course). Since august 2003 build a Gentoo 1.4 |
40 |
system (stage3) using hardened (as of then). Added -fstack-protector and |
41 |
-DPIC if i remember correctly. Also hardened-gcc. There was an easy way |
42 |
to disable GCC-hardened if needed :). Not so easy now, but now it's |
43 |
integrated in the toolchain. Evolution is good. |
44 |
This on my home desktop system with some servers (apache2, subversion, |
45 |
qmail, djbdns-caching, MySQL and PostgreSQL, postfix /before qmail/, |
46 |
spamd, music soft, Xine and mplayer /from 1_pre5 wont compile/, nvidia |
47 |
with 3-D for half of the time other things also). Used it from a 2.4.20 |
48 |
till now 2.6.7 kernels. |
49 |
Leave alone SSP i also have PaX(kernel) & PIC/PIE(binaries) and |
50 |
grsec/grsec2 installed. IMHO most bugs are due to using PaX&PIC/PIE and |
51 |
SSP not grsec2. |
52 |
The strange thing is that in overall most of (my) bugs are with the |
53 |
src-packages ebuilds etc. not of using hardened, some are due to this of |
54 |
course, but maybe some 10-15 % not more. |
55 |
Think that most important in this discussion is if SSP alone could break |
56 |
too many things so it's shouldn't be in the default CLAGS. |
57 |
Checked in b.g.o with 'ALL stack-protector' (a rough search & all archs) |
58 |
and found nearly ~50 bugs due to SSP: NEW - 6 (1-blocker, 1-major); |
59 |
40-RESO (1-LATE,4-INVA,1-UPST,1-CANT,1-WORK,1-WONT and 14-DUPL). This is |
60 |
for all archs. |
61 |
Don't think there are too many bugs due to SSP (IMHO). |
62 |
Think that to have a 'light' protection in hardened using only SSP is |
63 |
silly as things work (almost) even with all hardened now. So question is |
64 |
'Is it ready for inclusion in default CLAGS?'. |
65 |
There was a good (IMO) suggestion from JStubbs to include SSP only in |
66 |
stage3 tarball and GRP. |
67 |
Maybe it's very useful to have some opinions (with facts) from other |
68 |
devs and users, so it's not just plain pro/cons in theory only :) |
69 |
My subjective opinion is that there isn't a big performance hit in using |
70 |
SSP, but i just don't have alternative experience. |
71 |
> > 5) most people prefer to know they can have a reasonable trust in their |
72 |
> > computer system to operate reliably and consistently by default |
73 |
> |
74 |
> Doesn't this exist already? if people didn't trust Gentoo then why are |
75 |
> they using it? We can't be held ultimately responsible for software we |
76 |
> didn't write. If you can knock over service foo-1.2.3 on Gentoo, chances |
77 |
> are you can knock it over on another Linux or possibly any other platform |
78 |
> it runs on either. |
79 |
No comment. |
80 |
> |
81 |
> > Here are some of the things not to like about what is proposed so far: |
82 |
> > 1) Adjusting all ebuilds (not very productive, only adds clutter to |
83 |
> > ebuilds) 2) Making new features, use flags whatever (same idea) |
84 |
> > 3) Not doing anything would not be very responsible |
85 |
> |
86 |
> Are we in the insurance business or are we in the Linux distribution |
87 |
> business? Maybe I'm way out in left field here but I'm not holding Gentoo |
88 |
> responsible for software they didn't write. |
89 |
> |
90 |
> > What I propose to do (pick the low hanging fruit): |
91 |
> > 1) Add stack protector and and any similar 'features' stable in hardened |
92 |
> > to the default CLFAGS of the gentoo install/profiles. By stable I mean |
93 |
> > things which do not break the majority of functionality. |
94 |
> |
95 |
Again the main issue is does SSP breaks too many things? If YES then put |
96 |
'-fstack-protector' only as an extra option (as of now). But if NOT put |
97 |
it by default and add a comment how to disable it. |
98 |
Another point the initial discussion was mostly on adding SSP ONLY to |
99 |
daemons and critical services inet-connecting programs etc. |
100 |
Now question has shifted to: make it default CFLAG or not. What about |
101 |
the first proposal (it's more work tough). |
102 |
PS: now remember we have 'hardened-stages' also, but again with ALL |
103 |
(SSP&PIE) features added (not sure what really is included). |
104 |
> Feel free to take on the ownership of making this work on every arch's |
105 |
> toolchain then. Also feel free to deal with all upstream authors who |
106 |
> start instantly dismissing any bugs from Gentoo due to the fact that the |
107 |
> toolchain is quite modified to accomplish this task. Take the current |
108 |
> stance the GAIM team has with us as an example of what would be to come. |
109 |
> |
110 |
This IMO is an important issue (don't have experience here). Other |
111 |
opinions? |
112 |
> > 2) broken ebuilds can filter-flags until fixed (better approach since |
113 |
> > you are only fixing up ebuilds for broken stuff and may also prompt the |
114 |
> > devs to try and make the protection work). |
115 |
> |
116 |
> The protection itself is a work-around to the original problem. You want |
117 |
> to continue to work around the problem even more? |
118 |
> |
119 |
Think it's better to have some 'stop-vuln.' till fixed than nothing |
120 |
(again the option to add SSP /on choice/ only for some packages). |
121 |
See the discussion on the layers of protection. Each one have its place |
122 |
and role. |
123 |
> > 3) People who prefer not to be protected can remove the settings from |
124 |
> > their CFLAGS |
125 |
> |
126 |
> Personally, I don't think opting out is the way to do this. Having CFLAGS |
127 |
> that are in by default that may or may not work across all architectures |
128 |
> is not a good thing. |
129 |
> |
130 |
> > 4) get stuff virus, spam, etc protection functional and leveraged into |
131 |
> > the defaults in other words turn on those USE flags in the standard |
132 |
> > profiles |
133 |
> |
134 |
As linux is evolving very rapidly you could expect more bugs and vuln. |
135 |
as a constant tendency so think it's time to get ready for this (make |
136 |
some steps even small ones, or at least prepare for them). |
137 |
PS:there are enough such projects and progs in other distros: SELinux, |
138 |
RSBAC-kernel patch, exec-shield in RH not to mention Adamantix (much |
139 |
common things with Gentoo-hardened), OpenBSD etc. In this projects many |
140 |
things are overly working even with much more security features added. |
141 |
> No thanks. I don't want to have to spend the first 24 hours or so of |
142 |
> using my new"trusted" operating system opting out of all of the overly |
143 |
> paranoid defaults. If I'm looking for a high level of security out of the |
144 |
> box, I'll use hardened or OpenBSD. |
145 |
> |
146 |
see the comment above. |
147 |
> > A personal opinion: |
148 |
> > Anyone who thinks that a speed tradeoff is too much for better |
149 |
> > protection is crazy. Do us all a favor and play a go night of russian |
150 |
> > roulette by yourself to get your thrills. |
151 |
> |
152 |
> OK seriously, this kind of comment isn't needed. I'm not sure what you |
153 |
> hoped to have accomplished by it, but I'm fairly sure it didn't work. |
154 |
> |
155 |
> As anyone who has spent 5 minutes in the security world knows, there's a |
156 |
> fine line between good security and paranoia. You can lock your system |
157 |
> down to high heaven and be sure that people won't get into it, but then |
158 |
> you won't be able to do a damn thing either. What good is that? |
159 |
> |
160 |
True but there is a middle area (95% security vs 5% usability loss or |
161 |
90%-10% and not 50-50). |
162 |
> Right now I have a choice to use these features if I want to. I don't |
163 |
> have to "opt-out" and I would rather keep it that way. The support |
164 |
> nightmare this will create is not worth the potential advantages. |
165 |
> |
166 |
> > There's more to be said on security but I feel too lazy right now to |
167 |
> > type it so if this isn't convinving you let us know. |
168 |
> |
169 |
> And as this list has shown historically, we can all argue security to high |
170 |
> heaven with each party feeling they have the right answer and never |
171 |
> accomplish anything. |
172 |
> |
173 |
> Now please don't get me wrong. As someone who's day job is in the |
174 |
> security field, I very much like and appreciate the efforts that have gone |
175 |
> into making secure toolchains and hardened systems a reality in Gentoo. |
176 |
> In some cases I do use them as well. |
177 |
> |
178 |
> However, I do not believe it is our place nor our job to make that choice |
179 |
> for our users. You cannot protect people from themselves, regardless of |
180 |
> the perceived benefits. |
181 |
> |
182 |
> Regards, |
183 |
You all see that hardened project is really working (there are people |
184 |
using it for months/years - interested to know just how many). Do you |
185 |
think they quite all the time search for solutions and file bugs or |
186 |
google for using it? |
187 |
PS:There are some other things to consider. There will be more work for |
188 |
hardened herd if this is accepted and there are problems u know. |
189 |
Also the issue with upstream - again. |
190 |
Just my opinion. Thanks |
191 |
Rumen |