Openwall Linux 3.0: Linux for the security-conscious
Posted Jan 13, 2011 16:20 UTC (Thu) by solardiz
In reply to: Openwall Linux 3.0: Linux for the security-conscious
Parent article: Openwall Linux 3.0: Linux for the security-conscious
The concept of trusted computing base is definitely very old. However, it is not limited to password "storage"/changing/authentication; that is just part of the TCB. Thus, our "tcb" package on Owl is sort of misnamed (it's just part of the TCB, not the entire thing), but it's named after the /etc/tcb directory also seen on some older Unix systems (sometimes called the "trusted" flavors by the vendors). I presume that you refer to the latter.
Now let's get to the real technical stuff: unlike those older systems, Owl and our "tcb" package is the very first implementation to make use of the shadow files separation to reduce the privileges of the "passwd" command. No other system did it before we did it in Owl. (Now our "tcb" implementation is also reused by ALT Linux's distributions and by Mandriva, which is great. I hope more distributions will follow.)
Yes, replacing standard facilities involves risk of introducing new vulnerabilities. However, with our "tcb", we're reducing privileges of used-to-be-SUID-root programs at the same time - so certain classes of potential vulnerabilities turn into almost non-issues for that reason.
I think that there are more people who have fully audited our "tcb" suite (that's at least its three developers, all of whom are "into security") than people who have audited, say, Linux-PAM (relevant since our "tcb" replaces Linux-PAM's pam_unix with its own pam_tcb). Ridiculously naive security holes in three Linux-PAM modules (upstream, not distribution-specific) were found last year: the modules were accessing users' files as root. These holes would not be in there if just one "security expert" had carefully audited the entire Linux-PAM tree before last year. (None of the affected modules were in use on Owl by default, which is why they had been excluded from our own mandatory audit... although we did build and package them, so we had to release a security update for those who might have made use of the modules. And guess who finally patched the holes in upstream's Linux-PAM? One of the "tcb" developers did.)
to post comments)