Distributions
News and Editorials
LCA: How to improve Debian security
Russell Coker is a long-time figure in the Linux security world, having done much of the heavy lifting involved in making SELinux work with both the Debian and Fedora distributions. At the Debian miniconf at linux.conf.au, Russell ran a session on what Debian should do to improve![[Russell Coker]](https://static.lwn.net/images/conf/lca2007/RussellCoker-sm.jpg)
its security. With a relatively small number of changes, Debian could be
made significantly harder to break into.
The first suggested change is not Debian-specific in any way: Russell makes the claim that Linux needs to support more capabilities. The Linux capability system attempts to break down the "can do anything" superuser privileges into less powerful capabilities, with the idea that programs can be restricted to the privileges they actually need to get their jobs done. Unfortunately, this splitting of privileges is incomplete, in that two of them are still too powerful. They are:
- CAP_NET_ADMIN controls the management of IP tunnels, type of
service settings, routes, interface parameters, raw packet access, and
much more. There are many unrelated powers which are granted by
CAP_NET_ADMIN; splitting them up would make the system more
secure in dealing with potentially buggy network processes.
- CAP_SYS_ADMIN is even worse, being the grab-bag capability used whenever somebody can't find something more specific. This capability controls access to disk quotas, the mounting of filesystems, NVRAM access, serial port parameters, memory management policies, and dozens of other actions. Getting CAP_SYS_ADMIN is not far removed from simply having superuser powers.
Russell talked about the benefits of splitting up these capabilities, but didn't get much into the practical difficulties. Those include the fact that the 32-bit capability mask is just about full already, the need to educate developers and administrators about the new capabilities, and the task of changing the current capability tests and dealing with the things that break. It's an obviously good idea, but carrying it through will require some work.
Next on Russell's list is polyinstantiated directories. In words of fewer syllables, this means directories where each user gets his or her own, private copy. When applied to shared directories like /tmp, polyinstantiated directories can help defend the system against symbolic link and temporary file attacks. The necessary support is already there - the kernel has filesystem namespaces, shared subtrees, and the PAM modules to control these features. It's just a matter of hooking it all together in a way that works.
The ExecShield patch set is the next suggestion. In particular, Russell would like to see protection against executable stack and writable memory-mapped segments. As he pointed out, Fedora and Red Hat Enterprise Linux have shipped this feature for some time with little in the way of ill effects. It's mostly a matter of getting some of the remaining patches into the kernel mainline - or maintaining them separately in the Debian kernel.
The TIOCSTI ioctl() command allows a process to stuff characters into a terminal device, from which they will later be read. If a hostile user can get an administrator to switch over to his account (with su, say), he can use this ioctl() to take over the administrator's shell. Ways of avoiding this attack include not using su in a number of situations - for example, by using ssh to log in as another user. The setsid() system call can also be used to create a barrier to defend against character-stuffing attacks.
Next is better support for Xen, especially at install time. Russell would like to be able to install a Debian server system where the only thing found in the host domain is an SSH server and the tools needed to get the guest domain running. All of the real server tasks would run in the guest. Then, if that guest is compromised, the core server's integrity remains, and it can be used to examine the guest closely. Among other things, rootkits running in the guest will have a much harder time hiding from an administrator running on the host.
Finally, Russell suggested that the Debian release following etch should install and run SELinux by default - just like Fedora does. Just running SELinux improves security, but things get better when the developers use it as well. SELinux can block attacks, but, when used by developers, it can reveal security-related bugs before anybody gets a chance to exploit them. In essence, SELinux is a language which is used to describe the expected behavior of an application; when the application deviates from the expectations, SELinux sounds the alarm and allows the situation to be investigated.
New Releases
BLAG 60000 (flout) Released
The Fedora Core 6-based BLAG 60000 is available from BLAG Linux and GNU. "BLAG 60000 (flout) is a new series with a new base (FC6) and many new applications. Featuring all of the applications below on JUST ONE CD. Burn copies and hand them out! It's got it all. Did I mention it's all on just one CD?"
FreeBSD 6.2 released
The FreeBSD Release Engineering Team has announced the availability of FreeBSD 6.2-RELEASE. "This release continues the development of the 6-STABLE branch providing performance and stability improvements, many bug fixes and new features."
FreeSBIE-2.0 released
The FreeSBIE team has announced the release of FreeSBIE 2.0, a live CD based on FreeBSD. "Development cycle started on August 2006 and, after many months and a series of four ISO images, an official stable FreeSBIE image is available. It went under many changes, many experiments, many bugfixes, many features' additions, but it was worth the work and the time we spent on it. We must express our thanks to everyone involved in the release process. FreeSBIE 2.0-RELEASE (codename Clint Eastwood) is based on the fresh FreeBSD 6.2-RELEASE, both in terms of sources and of packages. It contains more than 450 pieces and 1,3 gigabytes of software, all in a single CD-ROM of 668 megabytes."
IPCop Firewall 1.4.13 released (SourceForge)
Version 1.4.13 of IPCop Firewall has been announced. "IPCop is a friendly firewall solution running on linux to protect networks. It will be geared towards home and SOHO users. Interface is task based. Hardware requirements could be very minimal and grow with services used. IPCop v1.4.13 is released unchanged from 1.4.13rc1. This release update a few tools due to security issues, fix bugs and update some drivers. As usual, this version can be installed as an update from previous v1.4.x versions or with a ready-to-go ISO or usb bootable images for a fresh install."
Ubuntu Herd 2 released
Ubuntu has released the second Feisty Fawn Herd CD on the road to Ubuntu 7.04. "The primary focus during the time from Herd 1 have been the re-merging of changes from Debian and inclusion of new versions of applications. Notably, we have upgraded the kernel to 2.6.20." The Herd 2 CD is available for Ubuntu, Kubuntu, Edubuntu and Xubuntu.
Distribution News
Mandriva at the Solutions Linux 2007 summit.
Mandriva will be participating in the Solutions Linux summit, Jan.30th to Feb. 1st 2007. "Mandriva will take advantage of this event to share with the guests its vision of Linux and its passion for the open source sector. Besides the Mandriva philosophy, marrying both advance technology and respect for the open source community, you will be able to discover all the products developed by the company."
BLAG 60000: Shipped to you for free
BLAG and The Linux Store have an arrangement where they will ship you the BLAG 60000 CD for free. Click below for information on how to order.
Distribution Newsletters
Fedora Weekly News Issue 73
This week's Fedora Weekly News covers the New Fedora Infrastructure Leader, GPG Keysigning at FUDcon, Preparation continues for SCALE 5X, Fedora Core 6 LiveCD Review, Red Hat's Fedora to Get Longer Support, and several other topics.Gentoo Weekly Newsletter
The Gentoo Weekly Newsletter for January 8, 2007 looks at new Bugzilla servers, Gentoo on the HP iPAQ hx4700, SCALE to host Women in Open Source mini conference, interview with Derek Wise of GNi, and much more.Gentoo Weekly Newsletter
The Gentoo Weekly Newsletter for January 15, 2007 is also available. Topics include Maintainer needed for gentoo-sources-2.4, Simplified Chinese translation team seeking help, Gentoo classes at MIT, and more.DistroWatch Weekly, Issue 185
The DistroWatch Weekly for January 15, 2007 is out. "A somewhat slow week was concluded with a long-awaited new release of FreeBSD 6.2; we'll take a quick look at the new version and add a few more interesting bits and pieces from the BSD world. Besides covering the most popular BSD operating system, we also continue reviewing some of the promising new releases of 2006; this week it's the turn of Pardus Linux - an independently developed distribution with a superb package management infrastructure. In the news section, gNewSense starts work on a new release, a developer announces a Debian-based live CD for the Sony PlayStation 3, and Sun Microsystems offers a free DVD with Solaris 10 to all who are interested in checking out the venerable UNIX operating system."
Package updates
Fedora updates
Updates for Fedora Core 6: xterm (update to 223), autofs (bug fixes), glibc (bug fix), gcc (update from gcc-4_1-branch), cpuspeed (numerous bug fixes), postgresql (update to PostgreSQL 8.1.6), shadow-utils (bug fix), gimp-print (bug fix), lm_sensors (update lm_sensors to 2.10.1), linuxdoc-tools (bug fixes), util-linux (bug fix), m4 (bug fix), selinux-policy (bug fixes), cpuspeed (bug fixes), jpackage-utils (bug fixes), tar (bug fixes), gawk (bug fix), evolution-data-server (bug fix), gawk (bug fixes), udev (merge RHEL bugfixes), gnucash (update to 2.0.4), squid (update to the latest upstream), shadow-utils (bug fix), gettext (bug fix), python-numeric (update to 24.2), sysklogd (fix IPv6 patch), libselinux (bug fix), yum (update to 3.0.3), yum-metadata-parser (update to 1.0.3), udev (merge RHEL bugfixes), avahi (bug fix), nspr (upstream patch to fix ipv6 support), xen (bug fixes), system-config-printer (bug fix update), autofs (bug fix), foomatic (database update), strace (bug fixes), libselinux (man page fix).Updates for Fedora Core 5: postgresql (update to PostgreSQL 8.1.6), gawk (bug fixes), logwatch (fix several logwatch services), xen (bug fixes), nspr (upstream patch to fix ipv6 support), strace (bug fixes).
Mandriva updates
Updates for Mandriva Linux 2007.0: nmap (bug fixes), desktop-common-data (add a menu item), lirc (fix for SMP-enabled kernels), bluez-utils (bug fix), perl-SOAP-Lite (bug fix), wvstreams (built with openssl 0.9.8), tripwire (bug fix).rPath updates
Updates for rPath Linux 1: conary, conary-build, conary-repository (Conary 1.1.15 maintenance release), spamassassin, perl-IO-Socket-SSL, perl-IO-Zlib, perl-Archive-Tar, perl-IP-Country, perl-Net-CIDR-Lite, perl-Net-Ident, perl-Sys-Hostname-Long, perl-Mail-SPF-Query, perl-Algorithm-Diff, perl-Text-Diff (add spamassassin dependencies).Ubuntu updates
Updates for Ubuntu 6.10: gnome-system-tools (bug fixes), gnome-vfs2 (bug fixes), gnome-vfs2 (another bug fix), pouetchess (bug fixes), mousepad (bug fix), vino (upload to edgy-updates), gtetrinet (bug fixes), tzdata (upload of the -proposed version to -updates).Updates for Ubuntu 6.06 LTS: langpack-locales (bug fixes).
Distribution reviews
DeLi Linux: A light Linux distribution, done right (Linux.com)
Linux.com reviews DeLi Linux. "Perhaps one of the best Linux distributions tailored for older hardware is DeLi Linux. It's simple, and performs well enough to run on hardware as old as a 486. In fact, DeLi Linux runs on anything better than a 386 with at least 4MB of memory, though if you have only 4MB, don't expect stellar performance. Things get decent at 8MB, 16MB is smooth, and 32MB or more is perfect. I tested DeLi Linux on several machines, ranging from a 66MHz 486 DX2 with 8MB of RAM up to a a Dell Pentium III system with 256MB of RAM. The 486 system struggled to open anything, taking several minutes if things got too complex, such as when I was running a window manager, the X server, and AbiWord. However, DeLi Linux surprised me by turning the old 486 into an usable system, provided I had patience to spare. What's more, the Pentium III was extremely responsive, being even faster than my main AMD64 system running Fedora Core 6."
Fedora releases a live CD (Linux.com)
Mayank Sharma reviews the first Fedora live CD on Linux.com. "The Fedora community got its first official live CD last month. Based on Fedora Core 6, it shows off the best of what Fedora has to offer. Furthermore, the tools used to put together the CD make creating and maintaining custom Red Hat or Fedora-based live CDs simple. The live CD comes as a 684MB ISO that supports only the i386 architecture. The compressed filesystem holds about 2.3GB of applications -- a fraction of applications and utilities in the five-CD set that makes up Fedora Core 6. It runs Linux kernel 2.6.18 and the latest stable GNOME (2.16) and X.org (7.1). There's no cosmetic difference between the live CD and FC6 apart from wallpaper that reflects its time of release."
Ubuntu 6.10, OpenSUSE 10.2 Rise to (and in Some Ways Above) Microsoft's Vista Challenge (eWeek)
eWeek reviews Ubuntu 6.10 and OpenSUSE 10.2. "Ubuntu 6.10, also known as Edgy Eft, is the latest release in the popular line of Linux operating systems from Canonical. Ubuntu is a fairly young distribution, but its roots in Debian give it a solid foundation—both in terms of its code and in its community of users. This strong foundation is most evident in Ubuntu's excellent software management tools and wide catalog of prepackaged software. Ubuntu's catalog surpasses those of all other Linux distributions we've tested, and its software management tools outclass not only Linux rivals' but also Microsoft Windows' and Apple OS X's."
Page editor: Rebecca Sobol
Next page:
Development>>