[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exec-shield (maybe ITP kernel-patch-exec-shield)


On Fri, Nov 28, 2003 at 12:34:54AM +1100, Russell Coker wrote:
> On Thu, 27 Nov 2003 23:06, Peter Busser <peter@adamantix.org> wrote:
> > On Thu, Nov 27, 2003 at 11:26:50AM +1100, Russell Coker wrote:
> > > On Sat, 22 Nov 2003 03:41, Peter Busser <peter@adamantix.org> wrote:
> > > > It would be somewhat beneficial for Adamantix if PaX was part of the
> > > > default Debian kernel source. Inclusion of PaX in the default Debian
> > > > kernel source could be a valid reason to cooperate with Debian on this.
> > > > You didn't ask me about such a scenario.
> > > As long as no-one is interested in making kernel-patch packages for PaX
> > > the chances of getting it in the default Debian kernel source is
> > > exceedingly low.
> > That says someone who is a user of PaX and not involved the development of
> > PaX. Noone in Adamantix is involved in PaX development.
> I thought that you wrote paxtest?

Yes, I certainly did. Do you know why? Because I didn't trust PaX and wanted
some proof that it actually did something useful.

You know, when I started to develop Adamantix and integrated PaX, it simply
worked beautifully well. Sure there were some libraries that didn't load, but
that was not difficult to fix. You know how adding access control can break all
kinds of things, and I expected PaX to break all kinds of things too. But that
did not happen.

So instead of blindly trusting PaX, I wrote a test suite that would tell me if
it worked or not. And it seems to work wonderfully well, despite claims of
people that it doesn't. The people who make such claims are mostly people who
try to write a similar patch for Linux or for some other operating system. The
people who use it in production systems, like some of the people who use
Adamantix or Gentoo hardened, shake their heads and make fun of these
statements. For a good reason.

You don't have to trust PaX. Or exec-shield or OpenWall or any other patch for
that matter. Simply run paxtest and find the proof yourself.

> > So true. As you may know by now, I am not related to Debian. And yet a
> > number of Debian related people shouted and yelled at me telling me that I
> > should put Adamantix stuff in Debian. You are right, this hasn't happened.
> I'm sure that if I joined discussions in the Adamantix mailing lists and 
> started telling people what to do then someone would tell me to do it myself 
> if I wanted it done.

It is hard to tell, because I haven't seen you make any suggestions on
Adamantix mailing lists. But I think it generally depends on the quality of
the suggestion made and wether it would fit within the goals of the project
or not.

> > Adamantix works together with Gentoo hardened. I really appreciate this
> > cooperation. This proves that it is possible to work together. But only as
> > long as it is on a basis of equality and provides mutual benefit.
> You said yourself that it would be beneficial for you to have PaX in the 
> default Debian kernel source.  That seems to indicate a possibility for 
> mutual benefit.

Yes. But I didn't get the impression so far that there are any Debian people
who view it like a benefit. I am still hopeful that I will be proven wrong
about this though.

> > Maintaining a kernel patch package is only beneficial for Debian, not for
> > Adamantix.
> That is not what you say above.

That is consistent with what I said above, from the Adamantix point of view.
Because there is no need to have a seperate PaX patch in Adamantix. I think
that process integrity is basic functionality of any operating system that
claims to care about security. That is why it is not optional in the standard
Adamantix kernels. If you don't like it, you have to recompile the kernel
yourself and disable it in the configuration. Some call it secure by default.

In other words, there is no need for a seperate patch package in Adamantix.
If I were to create and maintain such a package, it would be purely for the
benefit of Debian.

> > I don't think that is the kind of cooperation the Adamantix
> > project is looking for. You have to come up with something better than that
> > if you are serious about cooperation in security issues. The choice is
> > yours.
> If you want to cooperate with Debian developers then you have to find some 
> area of mutual interest.

I think that I have already identified one area of mutual interest from the
Adamantix point of view (see above). I think that mutual means that the effort
comes from both sides. Therefore I am interested in hearing from you what this
effort from Debian's side is going to be.

But I suspect that the answer is going to be something like: Put a patch
package in Debian and then, if you are really really really lucky, you might
see some minimal reward for your effort. That is again expecting Adamantix to
do work for Debian with nothing in return. Such a circular argument leads to
nothing. If nothing is what you want, this is the guaranteed way to get it.

Peter Busser
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world

Reply to: