User: Password:
Subscribe / Log in / New account


Openwall Linux 3.0: Linux for the security-conscious

January 4, 2011

This article was contributed by Koen Vervloesem

Openwall GNU/*/Linux (or, in short, Owl) is a security-enhanced Linux distribution, intended as a server platform. Almost five years after the (then Linux 2.4-based) 2.0 release and more than 10 years after the start of the project, the developers have now released a major update in version 3.0. It is based on a RHEL 5.5-like Linux 2.6 kernel along with optional OpenVZ container-based virtualization.

The first question most people will have is: what is so "security-enhanced" about Owl? Aren't major Linux distributions such as Red Hat Enterprise Linux, Ubuntu, openSUSE, and so on secure? Of course, they continuously patch known security vulnerabilities and some of them (Red Hat in particular) implement security features to decrease the impact of vulnerabilities, but none of them really are focused on preventing vulnerable software from getting into the distribution in the first place.

For the Owl developers, software design and code quality are the first priorities. Before they include a package in their distribution, they check whether it typically runs with elevated privileges (such as SUID/SGID programs) or whether it uses data obtained over the network as its input (such as network services). Both cases are possible attack vectors, so the Owl developers audit the source code and implement safer default configurations. They also modify the software to introduce privilege separation and to apply the least privilege principle. The developers describe their philosophy in the CONCEPTS page on the project's web site.

Since Owl 2.0 (which got security fixes and a couple of bug fixes over four years), there have been a lot of changes in the distribution. The 2.4 kernel has been swapped for OpenVZ's latest from their "RHEL5 testing" branch (currently 2.6.18-194.26.1.el5.028stab079.1), with some additional security-related patches. There is now also Ext4 filesystem support and the installer offers Ext4 by default. Xz compression support has also been added throughout the whole system: not only with commands like xz, xzcat, xzdiff, xzgrep, xzless, and so on, but also with xz support in tar, rpm, less and other tools.


Compressed ISO images for x86 and x86_64 can be downloaded from the project's home page or one of the mirrors. Alternatively, users who want to donate money to Openwall can purchase a CD. Both the ISO images and the CD contain a live system and an installer program, as well as the full source code and a build environment. There are also OpenVZ templates that can be used to run in OpenVZ containers (operating system-level virtualization). This could be useful to isolate various virtual servers, each in their own Owl OpenVZ container, on top of another Linux distribution or Owl itself, which has the necessary kernel and tools to run OpenVZ containers.

If you choose "normal" in the boot menu, the Owl CD boots into single user mode. Once you see the shell prompt, you can choose to configure the system (such as localization, timezone, network, ...) with setup and exit the shell to let the system boot into the multi-user live mode, or you can start the installer with settle. The installer has an ncurses-based bare-bones interface and doesn't hold the user's hand, but it does the job. [Owl password screen] The focus on security is particularly clear in the window where the user has to choose a root password: the text describes a handful of requirements for a secure password and shows a possible secure but easy to remember password like "While3frail8buggy". If the user fails to enter a secure password, the installer refuses the password and asks for a new one. Also, Owl 3.0 is one of the few Linux distributions that still uses LILO instead of the more complex (and hence, potentially less secure) GRUB.

No SUID programs

The announcement of Owl 3.0 specifically mentions the effort the developers have done to eliminate SUID programs:

A curious detail is that there are no SUID programs in a default install of Owl 3.0. Instead, there are some SGIDs, where their group level access, if compromised via a vulnerability, can't be expanded into root access without finding and exploiting another vulnerability in another part of the system - e.g., a vulnerability in crontab(1) or at(1) can't result in a root compromise without a vulnerability in crond(8) or in a critical system component relied upon by crond(8).

This assertion can be easily verified by a find / -perm -4000 command, which doesn't return any file with the SUID bit set in a fresh Owl install. To make this possible, the Owl developers rewrote the ping command, for example, to run as an unprivileged user. Another interesting rewrite is the passwd command. Traditionally, password hashes and password policy information of all users are stored in a single file, /etc/shadow. This forces passwd to be SUID root, which means that when a user runs the program, it has the privilege to alter all entries in the shadow file, not only the one of this user. As a result, if passwd is compromised because of an exploit, the attacker is able to change all passwords.

The Owl developers have invented an alternative mechanism for password management, which they call tcb. Each user is assigned a separate shadow file, owned by this user, e.g. /etc/tcb/root/shadow owned by the "root" user and the "auth" group, and /etc/tcb/joe/shadow owned by the user "joe" and the "auth" group. This "auth" group may be used to grant a process read access to all password hashes, but the passwd and chage commands are made SGID shadow, so both commands have only access to the user's own password hash and password policy. This move to tcb is transparent for existing applications, because they don't read the shadow file directly but rely on interfaces like PAM (in Owl handled by the PAM module pam_tcb) and NSS (handled by libnss_tcb).

It's interesting to see that other Linux distributions are also trying to remove SUID applications. For example, Red Hat's Dan Walsh wants to replace SUID in most applications by using file capabilities in Fedora 15. On the Ubuntu side, Canonical's Kees Cook is also working on using file capabilities. The Owl developers, though, have another approach, and the lead developer Alexander Peslyak describes some issues with the file capabilities approach. Also of note is what guest author Neil Brown had to say about SUID in his article "Ghosts of Unix past, part 4: High-maintenance designs".

Security tools

Owl provides the control command to enable, disable, or configure some security-related facilities. Using the command without options lists all available facilities, their current setting, and any available settings. You can also get the current setting of a specific facility: for example, if you want to know if passwd is using the tcb or the traditional mechanism, just run control passwd. And if you want to see all available choices for the passwd setting, just run control passwd list. You can also change a setting, e.g. control passwd traditional to change the tcb default of passwd to the traditional shadow-based approach. The use of su is by default restricted to root because it has no SUID bit, but if the root user runs control su public, /bin/su gets the SUID bit so every user can run su to assume another user's identity. Under the hood, the control command uses shell scripts in /etc/control.d/facilities/ for the various services.

The Owl developers also ported several programs from OpenBSD, which is also a security-focused operating system: mtree, Vixie cron, telnet (with modifications to introduce privilege separation), netcat, and mailx. In general, software that is imported in Owl gets an average of four patch files to improve security: half of the patches from the Owl developers, the other half imported from various distributions or the BSDs.

The Owl developers have also created some useful security programs that can be used on other distributions. The famous password cracker John the Ripper, for example, is made by them, as is the password strength checker passwdqc, the port scan detection tool scanlogd, and the secure POP3 daemon popa3d.

By default, the system has a fair amount of tools installed, like vim, mutt, netcat, screen, nmap, openntpd, the OpenSSH server and client, postfix, procmail, vsftpd, lftp, and, of course, the already mentioned tools developed by the Openwall team. Owl uses the rpm package manager, but it has no repositories; instead, the user can rebuild the entire system from source with a make buildworld command and install the packages with make installworld. This is also the way to update an Owl system. If you want additional packages, the developers promise that in most cases it is possible to install packages for Red Hat Enterprise Linux, CentOS, or Fedora on Owl.

The Openwall developers have a community wiki with a lot of information about the Owl distribution and their other projects. In addition, the owl-users mailing list is the perfect place for questions about the use of Owl. The development team is rather small but dedicated, and they welcome patches, for which they publish a howto. All in all, Owl is really suited for the security-conscious Linux server administrator, but it also shows that there are alternatives to the security approaches taken by the mainstream Linux distributions.

Comments (17 posted)

Brief items

Mandriva 2010.2 released

The Mandriva 2010.2 release is out. "As announced previously, Mandriva 2010.2 is an incremental update on top of Mandriva 2010.1, incorporating all the security and bugfix updates since its release." The release is available on the Mandriva download site.

Full Story (comments: none)

Distribution News

Debian GNU/Linux

bits from the DPL: news, sprints, comm. & collaboration

These bits from Debian Project Leader Stefano Zacchiroli include a plug for RC bug squashing, sprints, communication, collaboration with others, and several other topics.

Full Story (comments: none)


Unofficial Fedora FAQ Updated for Fedora 14!

The Unofficial Fedora FAQ has been updated for Fedora 14. "As usual, the FAQ contains useful information on playing MP3s, watching DVDs, installing proprietary 3d drivers, and handling common problems. There is a lot of other useful information in the FAQ, too, and it's all in an easy-to-read step-by-step instruction format that almost anybody should be able to follow."

Full Story (comments: none)

Fedora Board Recap 2011-01-03

Click below for the minutes of the January 3 meeting of the Fedora board. Topics include some catch up after the holidays and festivities, board goals for 2011, and several other items.

Full Story (comments: none)

Working together on Fedora Remixes

Rahul Sundaram has announced a new mailing list for the discussion of Fedora Remixes. "If you are looking for help on creating a new Fedora Remix or hoping to work together with maintainers of other Fedora Remixes, there is a new mailing list for you!"

Full Story (comments: none)

FUDCon Tempe: Gaming!

Tom "Spot" Callaway is organizing two nights of gaming at FUDCon Tempe (Jan 29-31, 2011). "This is an opportunity for FUDCon attendees to meet your fellow Fedorans and enjoy some of the geekiest board games we can find (or at least, what spot brings along from his collection)."

Full Story (comments: none)

SUSE Linux and openSUSE

openSUSE finished 2010 big

openSUSE News has a post on openSUSE's newest projects. "Since the openSUSE Conference in Nuremberg in October, the openSUSE community has been extremely active. New projects announced there have had progress, others have emerged. One example of the latter would be Project Tumbleweed, aiming to create a rolling-release repository for openSUSE. Going in the opposite direction is Project Evergreen — the Evergreen developers want to provide longer-term support for older openSUSE releases for a core set of packages. And there is the new Virtualization:Cloud project, where a team got together to create a cloud software repository. Finally, we can't forget to mention the new GNOME:Atayana project, bringing Unity to openSUSE! And those are new just since our last conference!"

Comments (none posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Red Hat Enterprise Linux 6 review ( has a review of RHEL 6. "One of the most welcome changes is enhanced support for the latest multi-core processors, Red Hat claiming the ability to handle up to 4,096 cores/threads per system image in RHEL 6 - up from 64 in the previous release. Likewise, the addressable memory limit gets a boost, from 1TB to 64TB should you find a server able to support it. There's technology also to identify and quarantine defective memory areas and allow processors and RAM to be added on the fly, albeit only on hardware that allows this kind of component hot-swapping which, again, is rare."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds