Distributions
News and Editorials
New Debian-based Projects: Adamantix and Bonzai Linux
[This article was contributed by Ladislav Bodnar]
Adamantix and Bonzai Linux are two recently announced Debian-based projects. Both have changed their names since launch; Adamantix used to be known as Trusted Debian, while Bonzai Linux was originally called miniwoody. Let's take a brief look at these projects to see what they are about.Adamantix http://www.adamantix.org/
The Adamantix project has set a goal to create a highly secure extension of Debian's stable branch. Because it lacks an installer, it is not a distribution which one can download and install independently; instead the project provides a small subset of Debian packages together with a set of Adamantix-specific security software that make the default Debian installation more secure and more resilient to malicious exploits. Peter Busser, who is the project's initiator and maintainer argues that while Linux security patches and features are actively being developed by several projects, the mainstream Linux distributions seem reluctant to incorporate them into their own products. Adamantix is an attempt to remedy this situation for Debian users.
Which security features can we find in Adamantix? One of the more important ones is its protection against buffer overflows. The term "buffer overflow" refers to a software bug, where a program either fails to allocate enough memory for an input string, or fails to test whether the length of the string lies within its valid range. A hacker can exploit such a weakness by submitting an extra-long input to the program, designed to overflow its allocated input buffer and modify the values of nearby variables. This can cause the program to jump to unintended places, or even replace the program's instructions by arbitrary code. Buffer overflows are possibly the most common bugs found in software written in the C language and the subject of many security advisories.
One method to prevent buffer overflow bugs from being exploited is to patch the Linux kernel with PaX. PaX has too many features to mention them all, but the most important one lies in its ability to separate data from code. This prevents the attacker from overwriting data in overflown buffers and executing them as code. Another important feature is the ability of PaX to randomize space and memory allocation, as illustrated here by a stack randomization example. Linux systems not patched with PaX will allocate the same stack address to variables every time the program is executed. A malicious attacker exploiting a buffer overflow knows the address of the stack and knows exactly what gets overwritten by the malicious input. A PaX-enabled kernel allocates the stack address randomly every time the program is executed, so the attacker can never be sure what part of the stack gets overwritten. Besides the stack, PaX applies the same randomization to the heap, shared libraries and executable programs. As long as the attacker cannot figure out the randomization scheme, the effort at exploiting the known overflow is a hit-and-miss situation with odds heavily against the success of the attacker's intent.
Another important kernel patch used by Adamantix is RSBAC. RSBAC stands for Rule Set Based Access Control and, as the name implies, it is an access control framework designed for use with current Linux kernels. Again, its features are too numerous to detail here, but in essence, the RSBAC patch implements a detailed control mechanism for access to files, pipes, network sockets, system control data, devices, users and processes. It provides users with pre-made rules (conceptually similar to iptables rules), as well as methods for creating custom rules, some of which can go as far as eliminating the concept of a superuser - and associated risks. RSBAC also includes a powerful logging system which makes intrusion attempts easily detectable. RSBAC is an open source project, currently free of any patent issues, which sometimes plague other similar efforts.
Installing Adamantix on an existing Debian system (only the current stable version is supported) is done by modifying the sources.list file and pointing its sources to one of the mirrors; in fact many Debian mirrors now carry the complete Adamantix tree. As is the case with most new projects, the documentation on the site leaves a lot to be desired, but Adamantix provides mailing lists with active discussion and information about current development. The project certainly deserves the attention of security conscious system administrators and developers.
Bonzai Linux http://developer.berlios.de/projects/bonzai/
Developed by Marcus Moeller, Bonzai Linux is a modified version of the Debian "netinst" boot CD. The "netinst" CD was introduced shortly before the release of Debian GNU/Linux 3.0 (Woody) and was meant to replace the traditional Debian boot floppies, thus making the installation process less cumbersome. After loading the necessary network kernel modules, a user could initiate a network installation and get all the components from a local network or, more commonly, from a remote FTP or HTTP source.
Bonzai Linux expands on the idea by providing a basic Debian system, including the latest stable kernel and KDE packages on the CD. It is no longer necessary to load kernel modules in the beginning; in fact, it is no longer necessary to have intimate knowledge of the hardware at hand - the "discover" utility is able to auto-detect all common hardware. This, together with a much simplified package selection menu (as opposed to the archaic and unintuitive "dselect") greatly simplifies the installation procedure. Bonzai Linux can be used both as a stand-alone Linux distribution based on Debian Woody, but with the latest KDE, and it can also be used as a more user-friendly Debian installer.
Adamantix and Bonzai Linux are specialist distributions, each suitable for a particular task or solving a particular problem. If some day you require a security solution for your Debian installation, take a close look at Adamantix, and if you need an easy-to-install Debian system, Bonzai Linux might be just the right tool for the job.
A Lindows short story
Last week's article about Lindows inspired some comment. Even though the article stated, "It goes without saying that LindowsOS does not prevent security conscious users from setting up user accounts and passwords.", the perception exists that LindowsOS runs everything as root. That may have been true in version 1.0, but it is not true now.
The following story, subtitled Lindows saves the vacation is a true story, told to me by LWN co-founder Elizabeth Coolbaugh (Liz). Liz was going on a vacation with both her mother and her daughter. Three generations embarking on a trip to meet relatives in Europe. The night before she planned to leave there was a power outage in Liz's neighborhood. Since she was already packed she took her daughter and headed to her parents house early. Only when she arrived she realized that an email with vital information was still on the mail server and had not been printed or copied.
Lindows to the rescue. Liz's father had just bought a brand new Lindows computer. He had usernames set up on the system because during setup he was told to do so. He set up a username for Liz and used Click-and-Run to find and install OpenSSH. Liz got to the mail server and found the email and the information contained therein.
So I, like most of you, have never run Lindows, but I do have it on good authority that setting up usernames and not running everything as root is the default behaviour for the current product.
Distribution News
Debian Weekly News
The Debian Weekly News for July 1, 2003 is out. This week: The South Australian government discusses a bill that requires government departments to use Free Software where practicable; British scientists found out that debugging in open source projects is always faster than in closed source projects; and much more.Gentoo Weekly Newsletter -- Volume 2, Issue 26
The Gentoo Weekly Newsletter for June 30, 2003 is out. This week's topics include; Gentoo Linux adopts a new management structure, Fork of Gentoo Linux announced, GWN seeking additional translators, and more.Lycoris Desktop/LX
Lycoris, Microtel and www.walmart.com have teamed together to bring back the $199 Desktop/LX powered PC. Click below for details.Mandrake Linux
HP has announced a desktop PC for small and medium businesses (SMB), the HP Compaq Business Desktop d220 Microtower, which offers Mandrake Linux v9.1 as a choice of operating system.The XFS-related tools released with Mandrake Linux 9.1 were out-dated at release. This update brings all of the XFS-related tools up to date which provide better support for the XFS filesystem, fix bugs, and offer other enhancements.
MontaVista Linux
IDT and MontaVista Software announced the extension of a partnership to provide Linux support for the IDT Interprise family of integrated communications processors. MontaVista Linux Professional Edition 3.0 supports the IDT 79EB438 evaluation board that includes the IDT RC32438 Interprise PCI processor.Trustix Secure Linux
Trustix has released Trustix Secure Linux 2.0 (Cloud). Click below for details.Hitachi H8 Integrated Into uClinux
SnapGear, Inc. has released a technical paper describing its recently completed integration of support for the Hitachi H8 300S processor with the uClinux distribution.Red Hat Linux
Red Hat has an updated redhat-config-date package fixing a symlink-related bug, for Red Hat Linux 8.0 and Red Hat Linux 9.Slackware Linux
Slackware Linux: Some patches were applied to readline, similar to the ones applied previously to bash. See the slackware-current changelog for complete details.Yellow Dog Linux
Yellow Dog has updated redhat-config-date packages for Yellow Dog Linux 3.0.
New Distributions
BSLinux
BSLinux, from Blue Sock Linux Solutions, is a GNU/Debian-based distribution with a very simple installation process based on KDE. It supports many partition types, including XFS, JFS, ReiserFS, VFAT, EXT2, and EXT3. It uses XML and provides many new viewpoints to the way things can be done. Beta 1 was released June 27, 2003.LGIS GNU/Linux
LG Internet Solutions has announced the immediate availability of LGIS GNU/Linux 9. LGIS GNU/Linux is a Ximianized version of Red Hat Linux. (Found on GnomeDesktop).
Minor distribution updates
Astaro Security Linux
Astaro Security Linux has released v3.219 (Stable 3.x) with minor feature enhancements. "Changes: This Up2Date adds the "V4 Upgrade" functionality to the "System->Up2Date" menu."
Coyote Linux
Coyote Linux has released v2.00-pre6 with major bugfixes. "Changes: Typos in the init scripts that would prevent static IP address configurations from working properly have been fixed. Code has been added to build a resolver config for DHCP clients so that the internal DHCP server will initialize properly. A bug in the firewalling code that would prevent NAT rulesets from being enabled for PPPoE configurations has been fixed." Then 2.00-beta2 was released with more bug fixes.
Damn Small Linux
Damn Small Linux has released v0.3.11 with minor feature enhancements. "Changes: This release has PCMCIA support, and an experimental routine to grab Mozilla Firebird from the Internet and auto-install the browser while holding it in memory."
MoviX2
MoviX2 has released v0.3.0rc2 with minor bugfixes. "Changes: This release has been done mainly to replace Microsoft's TrueType fonts with OpenSource similar fonts. A few bugs have been also fixed (ISA/SCSI module loading) and a few new features introduced (support for serial remotes and a way to set easily custom defaults for the boot args)."
Pingwinek GNU/Linux
Pingwinek GNU/Linux has released v0.24 with minor feature enhancements. "Changes: This version features many new packages including Evolution, Conglomerate, Apache2, PPP, and others."
Recovery Is Possible! (RIP)
Recovery Is Possible! (RIP) has released v56 with major feature enhancements. "Changes: All the included programs have been updated to the full versions, and the image viewer program zgv has been added. tmpfs is now used, so half of your system memory will be used as virtual disk space."
RxLinux
RxLinux has released v1.4.5 with major feature enhancements. "Changes: This release rebuilds the root filesystem from sources following the Linux From Scratch 4.1 instructions and rebuilds the package selection interface."
uClinux
uClinux has released Linux kernel patches, v2.4.21-uc0, with major feature enhancements. "Changes: Major changes were made to IDE support. A few additions were made to the "asm" include directories, and basic testing was performed on the 68328/Coldfire/ARM/SuperH and H8300. IDE was also tested on the Coldfire 5249."
Distribution reviews
Getting to Know Debian (SitePoint)
Jono Bacon has written an article introducing Debian. "The Debian project is entirely volunteer-run and doesn't seek to generate profit. This essentially means that, while the will is there to continue to improve Debian, the project will always progress, irrespective of economic matters." (Found on Debian Planet)
Page editor: Rebecca Sobol
Next page:
Development>>