LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

New directions for SME Server, Immunix

December 3, 2003

This article was contributed by Ladislav Bodnar

With the recent compromise of several Debian servers, nobody needs a reminder about the importance of security on publicly accessible production machines. Diligent applying of security patches is one form of guarding against known vulnerabilities, but as in Debian's case, how can one prevent (or at least reduce the likelihood) of an attacker exploiting an unknown vulnerability? Some of the solutions include various kernel patches protecting the kernel from buffer and stack overflows, security enhanced kernels, User Mode Linux with critical processes confined to "jails", Linux intrusion detection systems with mandatory access control policies and other solutions.

However, most mainstream Linux distributions, as well as Linux kernel developers have yet to be persuaded about the need to implement any of the above solutions in their products. As a result, a wave of various "secure" distributions came into existence in the past several years, attempting to fill the gap and appealing to the more careful or paranoid amongst the system administrators running mission critical servers. Some of these distributions provide little more than sensible default settings with all unnecessary services turned off, while others attempt more sophisticated protection mechanisms against common exploits. Among the oldest of these distributions are SME Server (formerly e-smith) by Mitel and Immunix, by Immunix, Inc. (formerly WireX Communications, Inc.).

Both Mitel and Immunix made interesting announcements last week. Mitel's Director of Product Management Dan York posted a message on the distribution's mailing list saying that the upcoming SME Server 6.0 would be the last unsupported developer (i.e. freely download-able) release. "Mitel is a commercial enterprise," asserts the writer, "and has decided to focus our developers on our commercial products." Future releases, if any, are up to the SME Server user community and even the distribution's mailing lists, forums and bug reporting facilities will no longer be hosted by Mitel.

The announcement was met with various emotions ranging from anger at Mitel for abandoning their long-term users and contributors to hope that the product will continue, albeit in a different form. Despite its relatively low-profile status in the media, e-smith SME Server is a popular distribution with highly active mailing lists, a satisfied user base and several community web sites, including SME-Fr (in French) and contribs.org. The latter has now accepted the challenge of setting up a complete development framework, thus providing continuity in the development of the community supported SME Server.

The other interesting announcement was a quiet release of Immunix Secured OS, version 7.3. Unlike the company's previous releases, version 7.3 is no longer free: "Immunix Secured OS 7.3 is not free software. Immunix does employ many GPL components, among other licenses, and source code for GPL software is available under the terms of the license." All previous versions of Immunix were available in the form of freely download-able ISO images for non-commercial use, although all of them have now reached end of life.

What makes SME Server and Immunix Secured OS worth paying for? SME Server falls into a category of server distributions where security is achieved through simplicity and transparency, elimination of non-essential services and replacement of certain services with more secure alternatives. It also provides a unique, template-driven configuration system written in Perl. On the other hand, Immunix has developed its own set of technologies guarding against various common exploits. As an example, Immunix 7.3 comes with StackGuard, a set of patches for the GCC compiler (presently only available for GCC 2.96) which forces the binaries to perform additional checks on stack operations to prevent stack overflows. Another interesting technology is SubDomains, a mandatory access control mechanism for limiting privileges given to critical programs and processes. There is a lot more and if all these features work as advertised, the $200 price tag does not seem excessive. Still, the decision to discontinue the non-commercial edition was not well received by many long-term Immunix users.

What do these changes at Mitel and Immunix mean for the Linux user community? They seem to confirm a trend in the direction of several Linux companies which have decided to focus exclusively on the corporate market. They probably see small businesses and private users as somebody contributing very little to their overall profit margins, while draining precious developer resources. Although this seems to be an understandable direction from the business point of view, these companies sometimes forget the power of non-tangible benefits that a large user base brings them in terms of product recommendations, bug reports, exchange of ideas on forums and mailing lists, suggestions and other non-monetary values. And abandoning one's users, even if those users don't provide immediate material benefits, does not seem like a smart idea in the long run.

(Log in to post comments)

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds