Re: Grsec/PaX and Exec-shield
On Tue, 4 Nov 2003 04:26, Tiago Assumpção wrote:
> First of all, maybe the most important, we have the freedom problem here.
> It´s CLEAR, after analyzing his own words, that our friend Russell Coker
> has a big interest of getting Exec-shield as part of Debian Linux.
> That becomes even more clear when you see the affirmation, again his own
> words, he's employed by Red Hat.
I have a big interest in improving the security of Debian. I see exec-shield
as a good option for doing so with little cost.
> I won't say here that Red Hat, Inc. would be manipulating information
> to force Debian users to use one of their products, because I would be
> going down, at the same level as Coker. Since I don't know Red Hat's
> relationship to this issue, I would go for how non-professional Russel
> Coker has been with his posts.
Red Hat has no real interest in the matter. Getting wider testing of Red Hat
software provides some small benefit, but on the other hand having Red Hat
offer security features that Debian does not offer is also a benefit.
> "Maybe we should solve the debate about grsec and standard kernels by
> adding exec-shield to the standard Debian kernel source? Then people who
> use a kernel.org kernel can apply the grsec patch (which will not apply to
> a Debian kernel source tree), and people who use the Debian kernel source
> will get exec-shield by default?"
> - Who are -you- (the ONLY individual) to define standards on linux kernel
> security designs?
I am not trying to create standards, just to get the defaults for Debian
improved, and maybe the defaults for the kernel.org kernel too.
> "The plan is to get Linus to accept it as a feature for 2.6, but to do this
> we need to get it tested more. It is being tested in Fedora, I think that
> we should do the same for Debian. Getting this patch deployed on large
> numbers of Debian machines is what is necessary to get it accepted by
> "I will make a kernel-patch package."
> - Again, I don't understand why you should worry so much about some project
> you don't even own/manage. Or this is for Red Hat?
You should do some research on the Debian project before saying foolish
things. Debian developers usually maintain packages of software written by
other people, the number of packages in Debian where the package maintainer
is also the upstream developer is quite small.
I volunteered to make a package for exec-shield because it meets the Debian
criteria, I have time to do it, and it interests me. PaX would take much
more time so I can't do it.
I worry about the security of my own machines, and that of people I know.
Exec-shield offers some benefits and is something I can use now. PaX will
not work with the Debian kernel and no-one has volunteered to make it work.
Unless someone (maybe you) volunteers to get PaX working with the Debian
kernel then it won't be an option for most people.
> Second of all, in a technical approach, you should compare all of W^X,
> Grsec/PaX, Exec-shield. My personal opinion (which doesn't really matter)
> is that of there is nothing like grsec/PaX, they are above all the others
> in so many ways. Will be easy you people to see, checking the references,
> reading the theories, studying the implementations.
I agree that PaX has more features, and I have never said otherwise.
However I believe that exec-shield has most of the features that we need at
this time, and is something that we can put in a default kernel.
If you volunteer to do the work to get PaX working with the default Debian
kernel then you can change this.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page