On Monday, October 11, 2010 17:18:34 you wrote: >On 10/11/2010 12:21 PM, Boyd Stephen Smith Jr. wrote: >>> Anyone else perceive this situation as being a bit sub-optimal from >>> the security perspective? >> >> No. > >Interesting. Do you happen to run any such systems in a production >environment? Depends on what you mean by production. I do manage http://www.freegeekarkansas.org, http://www.iguanasuicide.net, and the MX for iguanasuicide.net. It's only 3 systems.[1] All are VPSes, 2 running Debian Lenny; 1 running Ubuntu 10.04 LTS. >> Debian server admins are running amd64, not i386, and NX is supported >> by default on 64-bit kernels. Even if they are running the i386 arch >> because of some random closed app they have to have on top of Debian, >> they can run the amd64 kernel. > >Oh good. > >Then I'm glad I didn't notify those admins I know who bought expensive >IBM servers just a couple of years ago that turned out to have >virtualization support for 64-bit guests disabled in the BIOS even >though the Intel Xeon CPUs had support for it. They were already >disappointed that they couldn't use weren't getting all the features of >the processors and they would be just heartbroken to find out that >they'd been pwned through executable stacks too. 1. Configure the BIOS properly. 2. If that's not possible, hack the BIOS. 3. If that's too hard, use LinuxBIOS / OpenBoot. Finally, don't whine when your software doesn't correct for intentional hardware crippling. Also: -bigmem is available. >>> What can be done to not disable page protections in the default >>> kernel? >> >> Enable PAE. From what I understand, the features are not separable >> in the i386 kernel. You either suffer under PAE and get NX, or you >> suffer without NX and drop PAE. > >That's my understanding too. I was really asking about the default. > >Most of us would prefer the 1% performance hit over having an >executable stack (and heap). Then install -bigmem, reboot and be done. Remember that Debian i386 targets more than beefy servers. In fact, it probably has a larger install base on Atom-based router boards, All-in-one PCs, and "netbooks". That said, I don't really care what the default is for i386. When multiple kernels are available for my architecture, I do the research and install the correct one. [1] One of the systems in that configuration is not directly public facing; it handles the ClamAV scanning via a private network for the MX. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.