Recent Features
| |||||||||||||
OpenWall 3.0OpenWall 3.0Posted Dec 23, 2010 22:03 UTC (Thu) by smoogen (subscriber, #97)In reply to: OpenWall 3.0 by smoogen Parent article: Linux capabilities support for user namespaces
And in reading the next section I see they have instead implemented kernel fixes to allow for setgid programs to open icmp versus capabilities.
(Log in to post comments)
OpenWall 3.0 Posted Jan 6, 2011 16:23 UTC (Thu) by solardiz (guest, #35993) [Link]
ping is a special case. For everything else, we made purely userland changes to eliminate the need for having any SUID programs. You may want to check out these links:
http://www.openwall.com/tcb/
also mentioned in the "next section" that you referred to:
OpenWall 3.0 Posted Jan 6, 2011 16:38 UTC (Thu) by solardiz (guest, #35993) [Link]
Also, this description - "kernel fixes to allow for setgid programs to open icmp" (from your comment) - is not entirely correct. What we're proposing on LKML is adding non-raw ICMP sockets (where one can only send certain things and receive certain relevant responses). This is not the same as permitting some programs to access the existing (raw) ICMP sockets. And this is post-Owl-3.0 stuff; on our 3.0 release, we left out the ping special case (ping is simply restricted to invocation by root by default, although this is configurable; our traceroute works as non-root fine).
Overall, Owl 3.0 is primarily about the hardened userland. We do not use filesystem capabilities, and our userland is usable with mainstream kernels (although we do provide and recommend a specific RHEL5/OpenVZ patched kernel). In fact, some people are running our userland in OpenVZ containers on non-Owl host systems (we provide pre-created OpenVZ templates of the userland), although we generally use Owl for both "host" and "guest" ourselves.
|
|||||||||||||