1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Jason Wever wrote: |
7 |
| On Sun, 26 Sep 2004 02:14:35 -0400 |
8 |
| John Richard Moser <nigelenki@×××××××.net> wrote: |
9 |
| |
10 |
| |
11 |
|>|>2) The risk is real and errors against this seem common. |
12 |
|>| |
13 |
|>| |
14 |
|>| Sure, there is risk in almost everything too. However just because |
15 |
|>| driving an automobile can be dangerous doesn't mean I'll buy a tank or |
16 |
|>| stay inside just to feel safe. |
17 |
|> |
18 |
|>No, but you'll get one with strong bars in the doors so taht side |
19 |
|>impacts don't crush you to death, but rather push your car (crack open a |
20 |
|>fiberglass car door once, you'll see 'em). Also, rollbars on cars with |
21 |
|>no hard-top, etc. |
22 |
| |
23 |
| |
24 |
| And to make analogies, wouldn't technologies such as ACLs, |
25 |
| firewalls, VPNs, etc provide us with our side-impact bars, airbags, etc? |
26 |
| |
27 |
|
28 |
No, that'd be a tank. The controls are klunky and the mass is greater |
29 |
so it's harder to stop, and difficult to see/steer half the time. |
30 |
|
31 |
| Additionally just because wood burns doesn't mean people don't live in |
32 |
| houses made from wood. |
33 |
| |
34 |
| |
35 |
|>| Doesn't this exist already? if people didn't trust Gentoo then why |
36 |
|>are| they using it? We can't be held ultimately responsible for |
37 |
|>software we| didn't write. If you can knock over service foo-1.2.3 on |
38 |
|>Gentoo, chances| are you can knock it over on another Linux or possibly |
39 |
|>any other platform| it runs on either. |
40 |
|> |
41 |
|>I trust Gentoo in the security sense as much as I trust Mandrake, or |
42 |
|>Debian, or SuSE. The difference is that after taking notice of the |
43 |
|>hardened project, I learned about all kinds of neat stuff like |
44 |
|>- -fstack-protector and PaX, and now don't really trust anything else. |
45 |
| |
46 |
| |
47 |
| That is where you chose to define reasonable security for yourself and |
48 |
| your applications. Imposing these options on the unknowing or unwary is |
49 |
| not the best course of action, regardless of the "transparency" of those |
50 |
| options to the user. |
51 |
| |
52 |
|
53 |
Documentation, heh. Let 'em know about it somehow just above the CFLAGS |
54 |
line. I said transparant, not invisible. |
55 |
|
56 |
On a side note, normally your auto dealer doesn't tell you about the |
57 |
re-enforced hull of your automobile; but there HAS to be a clear warning |
58 |
if the doors DON'T come with these standard safety features, because an |
59 |
accident will KILL you. |
60 |
|
61 |
| |
62 |
|>You can't be held responsible for others' security holes, but you can |
63 |
|>take simple steps to mitigate the damages. |
64 |
| |
65 |
| |
66 |
| This is something that each person needs to evaluate for themselves. |
67 |
| Whether I agree or disagree with a given individual on what a default |
68 |
| level of reasonable security is, the ultimate decision is up to the end |
69 |
| user. |
70 |
| |
71 |
| Gentoo's role is similar to that of a consultant. You have the |
72 |
| consultants research or investigate a problem, concept, etc and then they |
73 |
| present you with the results, and the possible solutions to go |
74 |
| with. The decision is still up to the end user, and with a consultant, |
75 |
| they*know* what the pros and cons before making that decision. |
76 |
| |
77 |
|
78 |
Well, as a consultant, my suggestion is to enable SSP. If you don't |
79 |
like it turn it off. |
80 |
|
81 |
| |
82 |
|>|>What I propose to do (pick the low hanging fruit): |
83 |
|>|>1) Add stack protector and and any similar 'features' stable in |
84 |
|>hardened|>to the default CLFAGS of the gentoo install/profiles. By |
85 |
|>stable I mean|>things which do not break the majority of functionality. |
86 |
|>| |
87 |
|>| |
88 |
|>| Feel free to take on the ownership of making this work on every arch's |
89 |
|>| toolchain then. Also feel free to deal with all upstream authors who |
90 |
|>| start instantly dismissing any bugs from Gentoo due to the fact that |
91 |
|>the| toolchain is quite modified to accomplish this task. Take the |
92 |
|>current| stance the GAIM team has with us as an example of what would be |
93 |
|>to come. |
94 |
|> |
95 |
|>SSP works on all architectures. |
96 |
| |
97 |
| |
98 |
| The concept of SSP may work on all architectures, but the implementation |
99 |
| requires a fair amount of work to make it happen. Getting the toolchain |
100 |
| and/or commonly used applications to build and/or run properly when SSP is |
101 |
| in use has proven to be a problem in the past. If you want exact |
102 |
| historical evidence, just search our bugzilla server, particularly for |
103 |
| SPARC (i.e. bug #.39725). |
104 |
| |
105 |
|
106 |
finally someone gave me a bug number instead of just crying about it |
107 |
breaking their shit. |
108 |
|
109 |
| Granted support for SSP gets better as time goes on, but using the Gentoo |
110 |
| user base (unless they choose to be) as the QA for this is not a good |
111 |
| idea. |
112 |
| |
113 |
|
114 |
[...] |
115 |
|
116 |
|>| |
117 |
|>|>3) People who prefer not to be protected can remove the settings from |
118 |
|>|>their CFLAGS |
119 |
|>| |
120 |
|>| |
121 |
|>| Personally, I don't think opting out is the way to do this. Having |
122 |
|>CFLAGS| that are in by default that may or may not work across all |
123 |
|>architectures| is not a good thing. |
124 |
|> |
125 |
|>Opting out of a feature which in usage you're normally not going to |
126 |
|>really notice is there is no the way to do things? Dude, that's like |
127 |
|>saying you should make locks on windows optional. They can be unlocked. |
128 |
|> |
129 |
|>And ssp is supposed to be portable. Etoh and Yoda's paper[1] says that |
130 |
|>The IBM stack smash protection method (ProPolice) is CPU and OS |
131 |
|>independent[2]. I think that you'd be within reason to complain to them |
132 |
|>if it didn't work accross all archs. |
133 |
|> |
134 |
|>[1] http://www.trl.ibm.com/projects/security/ssp/main.html |
135 |
|>[2] |
136 |
|>http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00045000000000000000 |
137 |
| |
138 |
| |
139 |
| See my above reply to your comment of SSP working on all architectures. |
140 |
| Additionally, thanks for the links on SSP. |
141 |
| |
142 |
|
143 |
np. |
144 |
|
145 |
| |
146 |
|
147 |
[...] |
148 |
|
149 |
|>Yes, exactly. -fstack-protector is one of those things you put there |
150 |
|>and never notice, but it does its job. |
151 |
| |
152 |
| |
153 |
| As someone who supports our end users. I definitely have noticed it with |
154 |
| regards to the afore mentioned build problems. |
155 |
| |
156 |
|
157 |
That's a problem; it's definitely not supposed to do that. |
158 |
|
159 |
| |
160 |
|>| Right now I have a choice to use these features if I want to. I don't |
161 |
|>| have to "opt-out" and I would rather keep it that way. The support |
162 |
|>| nightmare this will create is not worth the potential advantages. |
163 |
|> |
164 |
|>Yes and about 99.9999999% of your user base is probably going to say |
165 |
|>"wha? SSP? Wassat?" if you ask them if they use SSP. |
166 |
| |
167 |
| |
168 |
| This is a strong part of my point. |
169 |
| |
170 |
| One of the reasons I originally chose to run Slackware Linux and later |
171 |
| Gentoo Linux is that they did not attempt to do things for the user by |
172 |
| default. They assumed a certain level of knowledge by default, and let |
173 |
| the users make their own choices. In having talked with many users of |
174 |
| Gentoo either online or in the real world, this is one of the important |
175 |
| reasons they chose to use Gentoo. |
176 |
| |
177 |
| To me, every time a proposal like this comes up that influences what the |
178 |
| defaults are, it takes us one step farther away from that. |
179 |
| |
180 |
|
181 |
It works both ways. I have no choice but to use Stage 1, even on amd64 |
182 |
(which unlike x86 doesn't have a million different archs I can optimize |
183 |
for); that's the only way I can get SSP. I know quite a few people |
184 |
start from stage 2 or 3. |
185 |
|
186 |
Poll the user base? |
187 |
|
188 |
| |
189 |
|
190 |
[...] |
191 |
|
192 |
|>As someone who is passively absorbing this information, I find your |
193 |
|>ignorance combined with your claim of being a security expert to |
194 |
|>indicate that you're full of shit. |
195 |
| |
196 |
| |
197 |
| You are certainly entitled to that opinion. I never claimed to be a |
198 |
| security expert, I only said I worked in the field. And just because I |
199 |
| work in the field doesn't mean I'm intricately familiar with everything in |
200 |
| it. |
201 |
|
202 |
Ahh. Alright, I read too deep into your statements then. |
203 |
|
204 |
| |
205 |
| |
206 |
|>You've repetedly referred to the issue of cross-platform portability |
207 |
|>with SSP in here, for example; and I've pointed out once a link that |
208 |
|>shows that SSP is OS and CPU independent. Do your research, read what's |
209 |
|>out there. |
210 |
| |
211 |
| |
212 |
| See my above mentioned historical problems with using -fstack-protector. |
213 |
| What is written on paper and what actually happens in the real world are |
214 |
| two entirely different things. |
215 |
|
216 |
Is it a bug in the program, or in -fstack-protector? If it's in SSP, |
217 |
can you try to get Etoh a chroot on a sparc?, if he wants it? |
218 |
|
219 |
| |
220 |
| |
221 |
|
222 |
[...] |
223 |
|
224 |
|>I'm no security expert, I don't claim to be; but I at least know the |
225 |
|>subjet matter here better than you, for some strange and unknown reason. |
226 |
| |
227 |
| |
228 |
| That is entirely possible. I think some of this is due to us looking at |
229 |
| it from different angles as well. |
230 |
| |
231 |
|
232 |
mmhmm. |
233 |
|
234 |
| |
235 |
|
236 |
[...] |
237 |
|
238 |
|>| |
239 |
|> |
240 |
|>I can say that faster. "General security is a lost cause; only security |
241 |
|>experts have any business having security, even if it's transparent to |
242 |
|>them." |
243 |
| |
244 |
| |
245 |
| Like a lot of things in life, it pays to do your homework first. That's |
246 |
| why I'm advocating the opt-in approach here. Similarly to the fact that |
247 |
| we do not require users to use a syslog daemon (unless other |
248 |
| applications they chose to use require it), but suggest it in the |
249 |
| Installation Handbook, this could be an item to be put at the beginning. |
250 |
| Both to inform the user as to what SSP is and how to enable it if they |
251 |
| choose. |
252 |
| |
253 |
|
254 |
[...] |
255 |
|
256 |
| And while security is important to some people, it is not to others (yes |
257 |
| this is an endlessly debatable topic, so lets leave it at that and not |
258 |
| contribute to it). . If we are seriously thinking of implementing this, I |
259 |
| would ask that we poll our end users first to see if this is a |
260 |
| default option a majority of them would want or not. |
261 |
| |
262 |
|
263 |
yay poll :) |
264 |
|
265 |
| Regards, |
266 |
|
267 |
- -- |
268 |
All content of all messages exchanged herein are left in the |
269 |
Public Domain, unless otherwise explicitly stated. |
270 |
|
271 |
-----BEGIN PGP SIGNATURE----- |
272 |
Version: GnuPG v1.2.6 (GNU/Linux) |
273 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
274 |
|
275 |
iD8DBQFBVvEbhDd4aOud5P8RArSRAJ4pmW0rxjayqWbm0DO4vGQm8gN/kACdFZqs |
276 |
rwajUs0yC2JosyjjWQmj9Xs= |
277 |
=LV+k |
278 |
-----END PGP SIGNATURE----- |
279 |
|
280 |
-- |
281 |
gentoo-dev@g.o mailing list |