With the recent
several Debian servers, nobody needs a reminder about the importance of
security on publicly accessible production machines. Diligent applying of
security patches is one form of guarding against known vulnerabilities, but
as in Debian's case, how can one prevent (or at least reduce the
likelihood) of an attacker exploiting an unknown vulnerability? Some of the
solutions include various kernel patches protecting the kernel from buffer
and stack overflows, security enhanced kernels, User Mode Linux with critical
processes confined to "jails", Linux intrusion detection systems with
mandatory access control policies and other solutions.
However, most mainstream Linux distributions, as well as Linux kernel
developers have yet to be persuaded about the need to implement any of the
above solutions in their products. As a result, a wave of various "secure"
distributions came into existence in the past several years, attempting to
fill the gap and appealing to the more careful or paranoid amongst the system
administrators running mission critical servers. Some of these distributions
provide little more than sensible default settings with all unnecessary
services turned off, while others attempt more sophisticated protection
mechanisms against common exploits. Among the oldest of these distributions
are SME Server (formerly e-smith) by
Mitel and Immunix, by Immunix, Inc.
(formerly WireX Communications, Inc.).
Both Mitel and Immunix made interesting announcements last week. Mitel's
Director of Product Management Dan York posted a message on the
distribution's mailing list saying that the upcoming SME Server 6.0 would be
the last unsupported developer (i.e. freely download-able) release.
"Mitel is a commercial enterprise," asserts the writer,
"and has decided to focus our developers on our commercial
products." Future releases, if any, are up to the SME Server
user community and even the distribution's mailing lists, forums and bug
reporting facilities will no longer be hosted by Mitel.
The announcement was met with various emotions ranging from anger at Mitel for
abandoning their long-term users and contributors to hope that the product
will continue, albeit in a different form. Despite its relatively
low-profile status in the media, e-smith SME Server is a popular
distribution with highly active mailing lists, a satisfied user base and
several community web sites, including SME-Fr (in French) and contribs.org. The latter has now
accepted the challenge of setting up a complete development framework, thus
providing continuity in the development of the community supported SME
The other interesting announcement was a quiet release of Immunix Secured
OS, version 7.3. Unlike the company's previous releases, version 7.3 is no
longer free: "Immunix Secured OS 7.3 is not free software. Immunix
does employ many GPL components, among other licenses, and source code for
GPL software is available under the terms of the license." All
previous versions of Immunix were available in the form of freely
download-able ISO images for non-commercial use, although all of them have
now reached end of life.
What makes SME Server and Immunix Secured OS worth paying for? SME Server
falls into a category of server distributions where security is achieved
through simplicity and transparency, elimination of non-essential services
and replacement of certain services with more secure alternatives. It also
provides a unique, template-driven configuration system written in Perl. On
the other hand, Immunix has developed its own set of technologies guarding
against various common exploits. As an example, Immunix 7.3 comes with
StackGuard, a set of patches for the GCC compiler (presently only
available for GCC 2.96) which forces the binaries to perform additional
checks on stack operations to prevent stack overflows. Another interesting
technology is SubDomains, a mandatory access control mechanism for
limiting privileges given to critical programs and processes. There is a lot
more and if all these features work as advertised, the $200 price tag does
not seem excessive. Still, the decision to discontinue the non-commercial
edition was not well received by many long-term Immunix users.
What do these changes at Mitel and Immunix mean for the Linux user community?
They seem to confirm a trend in the direction of several Linux companies
which have decided to focus exclusively on the corporate market. They
probably see small businesses and private users as somebody contributing very
little to their overall profit margins, while draining precious developer
resources. Although this seems to be an understandable direction from the
business point of view, these companies sometimes forget the power of
non-tangible benefits that a large user base brings them in terms of product
recommendations, bug reports, exchange of ideas on forums and mailing lists,
suggestions and other non-monetary values. And abandoning one's users, even
if those users don't provide immediate material benefits, does not seem like
a smart idea in the long run.
to post comments)