Hardened Lunar Linux - More Informations
Jean Michel Bruenn
jean.bruenn at ip-minds.de
Fri Mar 9 21:15:24 CET 2007
Hello,
i collected this from IRC, so that ppl may better understand what i
want.
I try to make security-improved modules for Lunar Linux especially
for server-environments or environments where security is needed.
When using this security-improved modules - The System wouldn't be
as user friendly as it is now.
You don't need to use GRsec or Selinux - But there will be patches
asking u to use them if you're using grsec or selinux - For example
it would ask via mquery use PAX patches for use by grsec?
here's the log - at the bottom informations about patches.
<Striker`Work> yeah, but your email basically only covered SELinux and grsec
<wdp> it doesn't
<wdp> my email meant to use patches for modules, to make a hardened lunar linux.
<Striker`Work> you didn't say what they were
<Striker`Work> just that you listed a few random module-hd
<wdp> (So it could be better used with grsec or selinux. But that's not a MUST)
<Striker`Work> you didn't tell anyone what patches would be used
<Striker`Work> nor any benefits to using them
<wdp> I did. The benefits are: The System would be more secure.
<wdp> And less user friendly.
<Striker`Work> you can't use blanket statements like that
<Striker`Work> those only appeal to ricers
<Striker`Work> zomg your system will be more secure and FASTER!
<Striker`Work> if i'm gonna use a "hardened" patch
<Striker`Work> i wanna know what it does
These are example Patches (there are a lot more
patches...) - PLEASE look at my comments, you
see them in { }
- binutils..This patch uses mkstemp(3) and mkdtemp(3) for temporary
file creation, if they are available, rather than the
default mktemp(3). This is safer and removes
some compiler warnings.
- binutils..This adds PT_PAX_FLAGS to Binutils. See:
http://pax.grsecurity.net/
{ this does not mean you have to use grsecurity }
- bzip2..Fixes filename sanitisation in bzgrep.
This fixes CAN-2005-0758 (if a user can be tricked
into running bzgrep in an untrusted directory containing
files with carefully crafted filenames, arbitrary
commands could be executed as the user running bzgrep).
Risk is reported as low. I've modified it to force
the interpreter to be bash, some of the other shells
in use won't like the bash syntax.
- diffutils..This patch removes the more portable and less safe
use of tmpname(3), in preference of mkstemp(3).
- gawk..Fixes a bug which causes gawk to segfault when
operating on a non-existent file.
- glibc..Move nested function to a static one so we avoid
generating a trampoline.
now i get maybe, better comments.
Cheers
Jean
More information about the Lunar-dev
mailing list