[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [developers-l] Re: [debian-devel] Re: security enhanced debian branch?


On Fri, Dec 19, 2003 at 12:30:16AM +0000, Steve Kemp wrote:
> On Thu, Dec 18, 2003 at 11:53:22PM +0100, Peter Busser wrote:
> > It is IMHO a good idea to put back stuff from Adamantix in Debian. Currently
> > I am fully occupied by development of RSBAC support in Adamantix, so I cannot
> > do it myself. But anyone who wants to work on this stuff for Debian can join
> > #adamantix on irc.freenode.org or send e-mail. There are always people on
> > #adamantix who are willing to share information and answer questions
> > (including so called stupid questions). Even if you don't know much about this
> > stuff, we can get you up to speed and try to help when you get stuck.
>   Is it not the case that the RSBAC stuff conflicts with the stuff that
>  is going to be in the mainling 2.6 kernel?  (Such was my impression but
>  I could easily be confused).

No. RSBAC does not not use the Linux Security Module (LSM) interface. And when
you apply RSBAC to a 2.6 kernel, you can still load LSM modules. If you enable
RSBAC, the loading of kernel modules will of course be subject to the RSBAC
access control rules. After that, both the LSM module and RSBAC do their work.

When Amon Ott, the author of RSBAC, started to port RSBAC to 2.6, he started
using the LSM hooks. But after a while he came to the conclusion that LSM only
has disadvantages and no advantages. LSM only provides one quarter of the
kernel hooks that RSBAC provides. Therefore the choice is either: Castrating
RSBAC or not to use LSM. Castrating RSBAC would be really bad, so there is not
much choice but not to use LSM hooks. Amon posted his view on LSM on the RSBAC
website[1]. The author of gr-security, Brad Spender, has posted a similar view
on LSM[2].

Why is LSM good enough for SELinux and not for RSBAC? Because SELinux was
changed to fit LSM. One example, network access control was removed from
SELinux because there are no network access control hooks provided by LSM.
Another reason is that RSBAC provides much more functionality than SELinux.
What SELinux provides is only one module in RSBAC. Some people claim that RSBAC
has adopted a ``kitchen sink'' approach to security. After using it for quite
some time, I would say that RSBAC has adopted a sensible approach which allows
the combination of individual parts in such a way that the whole is bigger
than the sum of the parts.

An example: In RSBAC there is an RC module, which in many ways resembles
SELinux. In the RC module, every process has a certain role. There is also an
ACL module, which provides functionality similar to NetWare 3.xx ACLs. It is
possible to specify ACLs on RC roles. Users can create their own ACLs in RSBAC.
This means that if you have an account on a machine which runs a webserver
which has the role WebServer, you could create an ACL that allows access from
any process running as WebServer in ~/pub_html. But deny access to a
subdirectory called ~/secret_documents.

This is just one example. In Adamantix, RSBAC is used to be able to remove
suid root bits from ping, traceroute, and GnuPG. Not only does this mean that
you can run ping as normal user, it also means that using the network access
control in RSBAC, you can specify which users can ping to which networks. All
from one interface and one set of tools.

> > People who talk badly about Adamantix either do not know what they are talking
> > about or do so deliberately. I.e. by spreading FUD, making it look like a fight
> > between ``us'' and ``them'', as if there is nothing in common between the two
> > projects. All in all, it seems to me that there are a few people in Debian who
> > think that it is against their personal interest when Adamantix stuff is added
> > to Debian, even though it is clear that it is in the interest of all Debian
> > users to have better security.
>   More security work is good.  More security stuff in Debian is good.
>   However, as an outside observer, it appears to me that the Adamantix
>   project is not interested in contributing back - quoting from the
>   motivation page[1]:
>   	"But adoption by other distributions so far has been slow.
> 	Energy has been wasted on politically driven efforts rather than
> 	in providing better solutions. This is not a very desirable
> 	situation.  

Right, people waste too much time on stupid fights and useless discussions
instead of working together and getting work done. Everyone is free to choose
what he puts his energy in. Personally, I prefer to put energy in improving
security and in helping people with the same goal.

> 	...
> 	Therefore Adamantix is going to be a fully capable Linux
> 	distribution, with graphical desktop, graphical installer,
> 	hardware auto detection, sound, multimedia, etc.. In other
> 	words: Everything you can expect from a modern Linux system with
> 	more or less the same ease of use. Only more secure than other
> 	Linux systems"
>   This to me suggests that Adamantix wants to "go it alone" and become
>  yet another standalone distribution.  (I'm not suggesting for a moment
>  that this is a bad thing in itself if you have enough resources to
>  support it).

Well, ever since the motivation page was on-line, people have been able to
read whatever they wanted in what was written there. I already decided to
remove the page, just haven't had time to do it yet.

IMHO there is not much choice but to become yet another standalone
distribution. Where could I get a PaX enabled distribution before Trusted
Debian? Nowhere. Where can I get an RSBAC enabled distribution? Nowhere. Maybe
there are people who are content with the level of security a normal Linux box
provides or the level of security SELinux will provide. I am not.

>   I infer from this that you (the project) would not wish to get stuff
>  back into Debian proper - as this would remove your distinction as
>  being a secure Linux distribution and weaken your adoption.

IMHO one does not exclude the other. It is perfectly possible to put stuff back
in Debian without making Adamantix a weaker distribution.

>   I'd be happy to be proved wrong, and would welcome pollenation in
>  both directions - I just haven't noticed any yet.  (Possibly because
>  I've been unobservent, very likely in my job-hunting state ;)

Again, the fact that there is a cross-pollenation with Gentoo hardened proves
that you are wrong.

> > Anyone related to Adamantix that I know of has been helpful with helping
> > others, including Debian users and developers. There is a good relationship
> > with Gentoo hardened. And there is no reason at all why there is no such
> > relation between Debian and Adamantix. A good start would be if some Debian
> > developer started to write a plan for putting Adamantix stuff in Debian. Then
> > we can discuss it and determine what needs to be done by whom. And then start
> > working on it.
>   I'd be interested in hearing what the Adamantix people believed to be
>  a reasonable approach for merging stuff back - but it does seem that
>  they should be the people to write the plan, after all they know what
>  they're working on - whereas outside Debian developers don't!

Ok, maybe we can write such a plan together? I mean, sure, I know what is
being worked on in Adamantix. That is simple technical stuff. But I hardly know
anything about the dynamics of the Debian project. So it is difficult to judge
what is feasible and what not and what is the best approach for working
together. That is difficult political and procedural stuff I know nothing
about, since I'm just a simple technician.

[1] http://www.rsbac.org/lsm.html
[2] http://grsecurity.net/lsm.php

Peter Busser

Reply to: