In thinking about the possibility of creating a more secure version of debian linux, I wonder if suid programs should not be automatically compiled with Stack Guard (or the like) and linked to libs with Format Guard. The Stack Guard part would be really easy, although Format Guard may be a little tricky. Would it be possible to create special versions of the appropriate libs that suid programs would link to for the Format Guard stuff (which apparently breaks some programs)? Anyway, these things are non-intrusive and would contribute to the security of any system. If suid programs are not compiled with these protections by default, then it would be really nice to have these security enhanced versions packaged in a consistent way and retrievable with a task package. Other things, such as LIDS or Subdomain, could easily enough be packaged as kernel patches, much like reiserfs and so on. Same with selinux... although that replaces a number of packages as well. Having these things as packages would allow anyone who was interested to easily add them to their debian system. No need for a port... admins could pick and choose with a simple apt-get the security measures they want, allowing them to create a nicely customized system to fit their individual needs. I definitely think that having these things available would be a boon for debian as a distribution, keeping debian on the competitive edge. For the most part I don't even think that it would be all that difficult. Stack guard: http://www.immunix.org/stackguard.html Format guard: http://www.immunix.org/formatguard.html Subdomain: http://www.immunix.org/subdomain.html LIDS: http://www.lids.org selinux: http://www.nsa.gov/selinux/ -- John Patton patton66@home.com Get my GnuPG public key: finger john@24.22.215.225 "What luck for the rulers that men do not think." - Adolf Hitler (1889-1945)
Attachment:
pgp3jxoJHRAWF.pgp
Description: PGP signature