LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu - poorer security than Fedora

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 15:38 UTC (Thu) by i3839 (guest, #31386)
In reply to: Ubuntu - poorer security than Fedora by dwheeler
Parent article: Ubuntu, security response, and community contributions 

What exec-protection mechanisms? I thought most of those were pushed upstream? (Things like
gcc's stack protection, address space randomization, non-executable stack, data and heap, etc.
are, no idea how much they were written by Red Hat in the first place though.) Only thing left
AFAIC was non-exec protection on non x86_64 x86.

That's what I like about Red Hat, that nowadays they push stuff upstream so that everyone
benefits from it. If distros would do that more they'd make each other's lives easier and
improve the whole.

(Log in to post comments)

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 15:48 UTC (Thu) by nix (subscriber, #2304) [Link] 

Other parts of exec-shield, like the 'ASCII armoring' (to make it 
impossible to embed the address of a function in a shared library in an 
string and then get it into an overflowed string via C string-handling 
functions) haven't gone upstream yet :( I wonder why not?

Ubuntu - poorer security than Fedora

Posted Jul 17, 2008 16:04 UTC (Thu) by riel (subscriber, #3142) [Link] 

IIRC Linus made it clear that he did not want them.  I do not remember the reason, but it made
sense at the time :)

Ubuntu - poorer security than Fedora

Posted Jul 19, 2008 20:19 UTC (Sat) by ceplm (guest, #41334) [Link] 

All this stuff is unless when not used. What are the default CFLAGS in Ubuntu? The Red Hat
distros are known to use quite paranoid ones.

Ubuntu compile-time hardening

Posted Jul 21, 2008 8:33 UTC (Mon) by mdz@debian.org (subscriber, #14112) [Link] 

http://www.ubuntu.com/products/whatisubuntu/serveredition...

Ubuntu - poorer security than Fedora

Posted Jul 21, 2008 8:51 UTC (Mon) by i3839 (guest, #31386) [Link] 

That isn't true, most is done by the kernel, only stack protection is useless when not
enabled, so buffer overflows are still a danger, but less if the kernel makes the stack
non-executable and randomizes the address space.

And as the poster below linked to, Ubuntu seems to enable those flags too.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds