| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Jason Wever wrote: |
| 7 |
| On Sun, 26 Sep 2004 02:14:35 -0400 |
| 8 |
| John Richard Moser <nigelenki@×××××××.net> wrote: |
| 9 |
| |
| 10 |
| |
| 11 |
|>|>2) The risk is real and errors against this seem common. |
| 12 |
|>| |
| 13 |
|>| |
| 14 |
|>| Sure, there is risk in almost everything too. However just because |
| 15 |
|>| driving an automobile can be dangerous doesn't mean I'll buy a tank or |
| 16 |
|>| stay inside just to feel safe. |
| 17 |
|> |
| 18 |
|>No, but you'll get one with strong bars in the doors so taht side |
| 19 |
|>impacts don't crush you to death, but rather push your car (crack open a |
| 20 |
|>fiberglass car door once, you'll see 'em). Also, rollbars on cars with |
| 21 |
|>no hard-top, etc. |
| 22 |
| |
| 23 |
| |
| 24 |
| And to make analogies, wouldn't technologies such as ACLs, |
| 25 |
| firewalls, VPNs, etc provide us with our side-impact bars, airbags, etc? |
| 26 |
| |
| 27 |
|
| 28 |
No, that'd be a tank. The controls are klunky and the mass is greater |
| 29 |
so it's harder to stop, and difficult to see/steer half the time. |
| 30 |
|
| 31 |
| Additionally just because wood burns doesn't mean people don't live in |
| 32 |
| houses made from wood. |
| 33 |
| |
| 34 |
| |
| 35 |
|>| Doesn't this exist already? if people didn't trust Gentoo then why |
| 36 |
|>are| they using it? We can't be held ultimately responsible for |
| 37 |
|>software we| didn't write. If you can knock over service foo-1.2.3 on |
| 38 |
|>Gentoo, chances| are you can knock it over on another Linux or possibly |
| 39 |
|>any other platform| it runs on either. |
| 40 |
|> |
| 41 |
|>I trust Gentoo in the security sense as much as I trust Mandrake, or |
| 42 |
|>Debian, or SuSE. The difference is that after taking notice of the |
| 43 |
|>hardened project, I learned about all kinds of neat stuff like |
| 44 |
|>- -fstack-protector and PaX, and now don't really trust anything else. |
| 45 |
| |
| 46 |
| |
| 47 |
| That is where you chose to define reasonable security for yourself and |
| 48 |
| your applications. Imposing these options on the unknowing or unwary is |
| 49 |
| not the best course of action, regardless of the "transparency" of those |
| 50 |
| options to the user. |
| 51 |
| |
| 52 |
|
| 53 |
Documentation, heh. Let 'em know about it somehow just above the CFLAGS |
| 54 |
line. I said transparant, not invisible. |
| 55 |
|
| 56 |
On a side note, normally your auto dealer doesn't tell you about the |
| 57 |
re-enforced hull of your automobile; but there HAS to be a clear warning |
| 58 |
if the doors DON'T come with these standard safety features, because an |
| 59 |
accident will KILL you. |
| 60 |
|
| 61 |
| |
| 62 |
|>You can't be held responsible for others' security holes, but you can |
| 63 |
|>take simple steps to mitigate the damages. |
| 64 |
| |
| 65 |
| |
| 66 |
| This is something that each person needs to evaluate for themselves. |
| 67 |
| Whether I agree or disagree with a given individual on what a default |
| 68 |
| level of reasonable security is, the ultimate decision is up to the end |
| 69 |
| user. |
| 70 |
| |
| 71 |
| Gentoo's role is similar to that of a consultant. You have the |
| 72 |
| consultants research or investigate a problem, concept, etc and then they |
| 73 |
| present you with the results, and the possible solutions to go |
| 74 |
| with. The decision is still up to the end user, and with a consultant, |
| 75 |
| they*know* what the pros and cons before making that decision. |
| 76 |
| |
| 77 |
|
| 78 |
Well, as a consultant, my suggestion is to enable SSP. If you don't |
| 79 |
like it turn it off. |
| 80 |
|
| 81 |
| |
| 82 |
|>|>What I propose to do (pick the low hanging fruit): |
| 83 |
|>|>1) Add stack protector and and any similar 'features' stable in |
| 84 |
|>hardened|>to the default CLFAGS of the gentoo install/profiles. By |
| 85 |
|>stable I mean|>things which do not break the majority of functionality. |
| 86 |
|>| |
| 87 |
|>| |
| 88 |
|>| Feel free to take on the ownership of making this work on every arch's |
| 89 |
|>| toolchain then. Also feel free to deal with all upstream authors who |
| 90 |
|>| start instantly dismissing any bugs from Gentoo due to the fact that |
| 91 |
|>the| toolchain is quite modified to accomplish this task. Take the |
| 92 |
|>current| stance the GAIM team has with us as an example of what would be |
| 93 |
|>to come. |
| 94 |
|> |
| 95 |
|>SSP works on all architectures. |
| 96 |
| |
| 97 |
| |
| 98 |
| The concept of SSP may work on all architectures, but the implementation |
| 99 |
| requires a fair amount of work to make it happen. Getting the toolchain |
| 100 |
| and/or commonly used applications to build and/or run properly when SSP is |
| 101 |
| in use has proven to be a problem in the past. If you want exact |
| 102 |
| historical evidence, just search our bugzilla server, particularly for |
| 103 |
| SPARC (i.e. bug #.39725). |
| 104 |
| |
| 105 |
|
| 106 |
finally someone gave me a bug number instead of just crying about it |
| 107 |
breaking their shit. |
| 108 |
|
| 109 |
| Granted support for SSP gets better as time goes on, but using the Gentoo |
| 110 |
| user base (unless they choose to be) as the QA for this is not a good |
| 111 |
| idea. |
| 112 |
| |
| 113 |
|
| 114 |
[...] |
| 115 |
|
| 116 |
|>| |
| 117 |
|>|>3) People who prefer not to be protected can remove the settings from |
| 118 |
|>|>their CFLAGS |
| 119 |
|>| |
| 120 |
|>| |
| 121 |
|>| Personally, I don't think opting out is the way to do this. Having |
| 122 |
|>CFLAGS| that are in by default that may or may not work across all |
| 123 |
|>architectures| is not a good thing. |
| 124 |
|> |
| 125 |
|>Opting out of a feature which in usage you're normally not going to |
| 126 |
|>really notice is there is no the way to do things? Dude, that's like |
| 127 |
|>saying you should make locks on windows optional. They can be unlocked. |
| 128 |
|> |
| 129 |
|>And ssp is supposed to be portable. Etoh and Yoda's paper[1] says that |
| 130 |
|>The IBM stack smash protection method (ProPolice) is CPU and OS |
| 131 |
|>independent[2]. I think that you'd be within reason to complain to them |
| 132 |
|>if it didn't work accross all archs. |
| 133 |
|> |
| 134 |
|>[1] http://www.trl.ibm.com/projects/security/ssp/main.html |
| 135 |
|>[2] |
| 136 |
|>http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00045000000000000000 |
| 137 |
| |
| 138 |
| |
| 139 |
| See my above reply to your comment of SSP working on all architectures. |
| 140 |
| Additionally, thanks for the links on SSP. |
| 141 |
| |
| 142 |
|
| 143 |
np. |
| 144 |
|
| 145 |
| |
| 146 |
|
| 147 |
[...] |
| 148 |
|
| 149 |
|>Yes, exactly. -fstack-protector is one of those things you put there |
| 150 |
|>and never notice, but it does its job. |
| 151 |
| |
| 152 |
| |
| 153 |
| As someone who supports our end users. I definitely have noticed it with |
| 154 |
| regards to the afore mentioned build problems. |
| 155 |
| |
| 156 |
|
| 157 |
That's a problem; it's definitely not supposed to do that. |
| 158 |
|
| 159 |
| |
| 160 |
|>| Right now I have a choice to use these features if I want to. I don't |
| 161 |
|>| have to "opt-out" and I would rather keep it that way. The support |
| 162 |
|>| nightmare this will create is not worth the potential advantages. |
| 163 |
|> |
| 164 |
|>Yes and about 99.9999999% of your user base is probably going to say |
| 165 |
|>"wha? SSP? Wassat?" if you ask them if they use SSP. |
| 166 |
| |
| 167 |
| |
| 168 |
| This is a strong part of my point. |
| 169 |
| |
| 170 |
| One of the reasons I originally chose to run Slackware Linux and later |
| 171 |
| Gentoo Linux is that they did not attempt to do things for the user by |
| 172 |
| default. They assumed a certain level of knowledge by default, and let |
| 173 |
| the users make their own choices. In having talked with many users of |
| 174 |
| Gentoo either online or in the real world, this is one of the important |
| 175 |
| reasons they chose to use Gentoo. |
| 176 |
| |
| 177 |
| To me, every time a proposal like this comes up that influences what the |
| 178 |
| defaults are, it takes us one step farther away from that. |
| 179 |
| |
| 180 |
|
| 181 |
It works both ways. I have no choice but to use Stage 1, even on amd64 |
| 182 |
(which unlike x86 doesn't have a million different archs I can optimize |
| 183 |
for); that's the only way I can get SSP. I know quite a few people |
| 184 |
start from stage 2 or 3. |
| 185 |
|
| 186 |
Poll the user base? |
| 187 |
|
| 188 |
| |
| 189 |
|
| 190 |
[...] |
| 191 |
|
| 192 |
|>As someone who is passively absorbing this information, I find your |
| 193 |
|>ignorance combined with your claim of being a security expert to |
| 194 |
|>indicate that you're full of shit. |
| 195 |
| |
| 196 |
| |
| 197 |
| You are certainly entitled to that opinion. I never claimed to be a |
| 198 |
| security expert, I only said I worked in the field. And just because I |
| 199 |
| work in the field doesn't mean I'm intricately familiar with everything in |
| 200 |
| it. |
| 201 |
|
| 202 |
Ahh. Alright, I read too deep into your statements then. |
| 203 |
|
| 204 |
| |
| 205 |
| |
| 206 |
|>You've repetedly referred to the issue of cross-platform portability |
| 207 |
|>with SSP in here, for example; and I've pointed out once a link that |
| 208 |
|>shows that SSP is OS and CPU independent. Do your research, read what's |
| 209 |
|>out there. |
| 210 |
| |
| 211 |
| |
| 212 |
| See my above mentioned historical problems with using -fstack-protector. |
| 213 |
| What is written on paper and what actually happens in the real world are |
| 214 |
| two entirely different things. |
| 215 |
|
| 216 |
Is it a bug in the program, or in -fstack-protector? If it's in SSP, |
| 217 |
can you try to get Etoh a chroot on a sparc?, if he wants it? |
| 218 |
|
| 219 |
| |
| 220 |
| |
| 221 |
|
| 222 |
[...] |
| 223 |
|
| 224 |
|>I'm no security expert, I don't claim to be; but I at least know the |
| 225 |
|>subjet matter here better than you, for some strange and unknown reason. |
| 226 |
| |
| 227 |
| |
| 228 |
| That is entirely possible. I think some of this is due to us looking at |
| 229 |
| it from different angles as well. |
| 230 |
| |
| 231 |
|
| 232 |
mmhmm. |
| 233 |
|
| 234 |
| |
| 235 |
|
| 236 |
[...] |
| 237 |
|
| 238 |
|>| |
| 239 |
|> |
| 240 |
|>I can say that faster. "General security is a lost cause; only security |
| 241 |
|>experts have any business having security, even if it's transparent to |
| 242 |
|>them." |
| 243 |
| |
| 244 |
| |
| 245 |
| Like a lot of things in life, it pays to do your homework first. That's |
| 246 |
| why I'm advocating the opt-in approach here. Similarly to the fact that |
| 247 |
| we do not require users to use a syslog daemon (unless other |
| 248 |
| applications they chose to use require it), but suggest it in the |
| 249 |
| Installation Handbook, this could be an item to be put at the beginning. |
| 250 |
| Both to inform the user as to what SSP is and how to enable it if they |
| 251 |
| choose. |
| 252 |
| |
| 253 |
|
| 254 |
[...] |
| 255 |
|
| 256 |
| And while security is important to some people, it is not to others (yes |
| 257 |
| this is an endlessly debatable topic, so lets leave it at that and not |
| 258 |
| contribute to it). . If we are seriously thinking of implementing this, I |
| 259 |
| would ask that we poll our end users first to see if this is a |
| 260 |
| default option a majority of them would want or not. |
| 261 |
| |
| 262 |
|
| 263 |
yay poll :) |
| 264 |
|
| 265 |
| Regards, |
| 266 |
|
| 267 |
- -- |
| 268 |
All content of all messages exchanged herein are left in the |
| 269 |
Public Domain, unless otherwise explicitly stated. |
| 270 |
|
| 271 |
-----BEGIN PGP SIGNATURE----- |
| 272 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 273 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 274 |
|
| 275 |
iD8DBQFBVvEbhDd4aOud5P8RArSRAJ4pmW0rxjayqWbm0DO4vGQm8gN/kACdFZqs |
| 276 |
rwajUs0yC2JosyjjWQmj9Xs= |
| 277 |
=LV+k |
| 278 |
-----END PGP SIGNATURE----- |
| 279 |
|
| 280 |
-- |
| 281 |
gentoo-dev@g.o mailing list |
Archives