Re: stack protection
On Thu, 21 Aug 2003, Russell Coker wrote:
> Who is interested in stack protection?
> I think it would be good to have some experiments of stack protected packages
> for Debian.
> Also is there any interest in uploading a kernel-image package with the grsec
> PaX support built in?
grsec is IMHO a better idea, as it offers a global protection against
various exploit types (execution of code in stack, for example) and
related threats (restriction in /proc is really useful too, ulimit
enforcement, symlink/fifo/chroot restrictions .. )
Note that some options are sometimes incompatible with some packages:
restrictions on kmem ('Deny writing to /dev/kmem, /dev/mem, and
/dev/port') prevent lm_sensors from working properly with my server. But
with reasonnable settings grsecurity is working like a charm.
Ah, when dealing about security, it might be also a good idea to allow
more easily Debian to run with / in read-only. There was a thread in
-devel some time ago (see 'Update re: read-only root filesystem' thread
and http://panopticon.csustan.edu/thood/readonly-root.html)
A read-only / with grsecurity easily offers a good protection (even if not
absolute) [other details could be checked, like non-executable /var, and
so on.. but it depends on the system partitionning]
Major issues for a ro-/ are maybe:
- using devfs for /dev (kernel 2.4 and package devfsd installed)
- using tmpfs for /tmp (kernel 2.4?)
- transforming several /etc files as symlinks and moving them to some
other place (/var/etc ?)
I was wondering if a script-only-package could do that, with a 'Depends:
kernel-xx(>2.4), devfsd' and proper install scripts? Might be difficult to
do, but maybe not impossible?
apt-get install read-only-root :)
Reply to: