| 1 |
On Sun, 11 Dec 2011 18:00:19 -0500 |
| 2 |
Matthew Finkel <matthew.finkel@×××××.com> wrote: |
| 3 |
|
| 4 |
> > Another thing that I try to do as a better method of TPE which is a |
| 5 |
> > breeze on OpenBSD and sometimes I find myself working against Linux |
| 6 |
> > developers¹ is to make it so that any writeable area of the filesystem |
| 7 |
> > is mounted noexec and mounts have the least priviledges required. |
| 8 |
> > |
| 9 |
> |
| 10 |
> If don't mind my asking, what is it that OpenBSD does differently than the |
| 11 |
> Linux distros that make it so much easier? Do they actually follow the |
| 12 |
> security practices you mentioned in the bug report? |
| 13 |
> |
| 14 |
> |
| 15 |
> |
| 16 |
> > |
| 17 |
> > ¹ "https://bugs.launchpad.net/ubuntu/+source/udisks/+bug/880965" |
| 18 |
> > set as won't fix and also e.g. apt-get expecting /tmp exec. |
| 19 |
> > |
| 20 |
> > |
| 21 |
> Thanks, |
| 22 |
> Matt |
| 23 |
|
| 24 |
Starting with the actual bug, on OpenBSD everything is off untill you |
| 25 |
enable it like arch linux but their hotplugd allows you to easily edit |
| 26 |
the commands and so mount options. Of course their are things like |
| 27 |
devmon for Linux but the real issue was if a security policy tried to |
| 28 |
stop introduction of executable code by users and then someone used the |
| 29 |
install scripts and set up say ubuntu with udev by default then a user |
| 30 |
could make a directory owned by root on an ext2 usb possibly name |
| 31 |
it .exe and then execute their program violating the security policy |
| 32 |
and possibly without the admins realising, it's that not caring about |
| 33 |
security while developing that OpenBSD for obvious reasons (being it's |
| 34 |
main goal) has. I guess it's akin to gentoo hardened fixing/preferring |
| 35 |
their glibc and mozilla not making their binaries pax compatible |
| 36 |
|
| 37 |
Also OpenBSD includes some userland which they audit |
| 38 |
extensively. Packages use /usr/local and so you almost never need to |
| 39 |
write to / or /usr, though package exploits and lack of developers may |
| 40 |
force a move to current but for servers stable ports are generally kept |
| 41 |
up to date. To get the best of both worlds (gentoo hardened too), you |
| 42 |
could couple that ro mountability with grsecs in-kernel mount logging |
| 43 |
and a secure logging facility but the linux kernel would make you |
| 44 |
remount it a lot more often. |
| 45 |
|
| 46 |
Generally they just think about these things, they won't for example |
| 47 |
suddenly add an /opt and put insecure and often updated adobe-reader |
| 48 |
into it, it would be /usr/local/opt if anything. Less rc scripts and in |
| 49 |
one place. If someone tried to introduce xml to base OpenBSD they'd get |
| 50 |
laughed at for trying to introduce an insecure technology. On Linux I |
| 51 |
bet the people poking fun at xml would get laughed at for being absurd |
| 52 |
even if xml isn't the best choice. |
| 53 |
|
| 54 |
It's great and I love OpenBSD on my servers and especially firewalls |
| 55 |
but it can be a bit much keeping firefox upto date on my desktops |
| 56 |
(following current for firefox can mean no need to update for 9 months |
| 57 |
or twice in two weeks, that would be fine if I had >100 desktops to |
| 58 |
make a golden system worthwhile but I don't), and the firefox updates |
| 59 |
can be quite late. It may? stop exploits affecting cross-boot but it's |
| 60 |
a bit pointless having a secure desktop OS when firefox spends a week |
| 61 |
out of date. RBAC also has more use for desktops with higher |
| 62 |
exploitability. I looked to gentoo-hardened but unfortunately I can't |
| 63 |
spend the build time or have the spare machines so I'm currently |
| 64 |
looking at a grsec enabled arch possibly with a patched glibc as a |
| 65 |
compromise with the aim of reducing maintenance time. I sure hope it |
| 66 |
doesn't increase due to problems, it should reduce in theory atleast if |
| 67 |
I stop writing this email ;-). As a bonus users will get sandboxed |
| 68 |
flash. |
| 69 |
|
| 70 |
Woah this is a long post and sorry if I'm relating debianisms too much, |
| 71 |
I don't know gentoo-hardened that well and any insights/corrections |
| 72 |
would be appreciated. |
| 73 |
|
| 74 |
Kc |
Archives