1 |
On Sun, 11 Dec 2011 18:00:19 -0500 |
2 |
Matthew Finkel <matthew.finkel@×××××.com> wrote: |
3 |
|
4 |
> > Another thing that I try to do as a better method of TPE which is a |
5 |
> > breeze on OpenBSD and sometimes I find myself working against Linux |
6 |
> > developers¹ is to make it so that any writeable area of the filesystem |
7 |
> > is mounted noexec and mounts have the least priviledges required. |
8 |
> > |
9 |
> |
10 |
> If don't mind my asking, what is it that OpenBSD does differently than the |
11 |
> Linux distros that make it so much easier? Do they actually follow the |
12 |
> security practices you mentioned in the bug report? |
13 |
> |
14 |
> |
15 |
> |
16 |
> > |
17 |
> > ¹ "https://bugs.launchpad.net/ubuntu/+source/udisks/+bug/880965" |
18 |
> > set as won't fix and also e.g. apt-get expecting /tmp exec. |
19 |
> > |
20 |
> > |
21 |
> Thanks, |
22 |
> Matt |
23 |
|
24 |
Starting with the actual bug, on OpenBSD everything is off untill you |
25 |
enable it like arch linux but their hotplugd allows you to easily edit |
26 |
the commands and so mount options. Of course their are things like |
27 |
devmon for Linux but the real issue was if a security policy tried to |
28 |
stop introduction of executable code by users and then someone used the |
29 |
install scripts and set up say ubuntu with udev by default then a user |
30 |
could make a directory owned by root on an ext2 usb possibly name |
31 |
it .exe and then execute their program violating the security policy |
32 |
and possibly without the admins realising, it's that not caring about |
33 |
security while developing that OpenBSD for obvious reasons (being it's |
34 |
main goal) has. I guess it's akin to gentoo hardened fixing/preferring |
35 |
their glibc and mozilla not making their binaries pax compatible |
36 |
|
37 |
Also OpenBSD includes some userland which they audit |
38 |
extensively. Packages use /usr/local and so you almost never need to |
39 |
write to / or /usr, though package exploits and lack of developers may |
40 |
force a move to current but for servers stable ports are generally kept |
41 |
up to date. To get the best of both worlds (gentoo hardened too), you |
42 |
could couple that ro mountability with grsecs in-kernel mount logging |
43 |
and a secure logging facility but the linux kernel would make you |
44 |
remount it a lot more often. |
45 |
|
46 |
Generally they just think about these things, they won't for example |
47 |
suddenly add an /opt and put insecure and often updated adobe-reader |
48 |
into it, it would be /usr/local/opt if anything. Less rc scripts and in |
49 |
one place. If someone tried to introduce xml to base OpenBSD they'd get |
50 |
laughed at for trying to introduce an insecure technology. On Linux I |
51 |
bet the people poking fun at xml would get laughed at for being absurd |
52 |
even if xml isn't the best choice. |
53 |
|
54 |
It's great and I love OpenBSD on my servers and especially firewalls |
55 |
but it can be a bit much keeping firefox upto date on my desktops |
56 |
(following current for firefox can mean no need to update for 9 months |
57 |
or twice in two weeks, that would be fine if I had >100 desktops to |
58 |
make a golden system worthwhile but I don't), and the firefox updates |
59 |
can be quite late. It may? stop exploits affecting cross-boot but it's |
60 |
a bit pointless having a secure desktop OS when firefox spends a week |
61 |
out of date. RBAC also has more use for desktops with higher |
62 |
exploitability. I looked to gentoo-hardened but unfortunately I can't |
63 |
spend the build time or have the spare machines so I'm currently |
64 |
looking at a grsec enabled arch possibly with a patched glibc as a |
65 |
compromise with the aim of reducing maintenance time. I sure hope it |
66 |
doesn't increase due to problems, it should reduce in theory atleast if |
67 |
I stop writing this email ;-). As a bonus users will get sandboxed |
68 |
flash. |
69 |
|
70 |
Woah this is a long post and sorry if I'm relating debianisms too much, |
71 |
I don't know gentoo-hardened that well and any insights/corrections |
72 |
would be appreciated. |
73 |
|
74 |
Kc |