These all need fixing. Major one from a security point of view is the use of Apparmor. Ubuntu and Suse along with others go on making out to users that Apparmor simple to use yet the fail to say something important. Just like any other experiment science security systems should under go review by other parties. Apparmor failed its review for include by default in the Linux kernel.
Yes designing a security system for a OS is a science. You try something it fails you improve it and try again until you get something that works. Of course to save repeating the mistakes of others it pays to read what has worked before starting out and what has failed.
Where did Apparmor fail quite simply path based there is no framework in the Linux kernel to enforce that and there system for doing it is flawed. Tomoyo another security framework using paths is working on solving the enforcement issue always putting there designs forward for review in the Linux Kernel mailing list because they want to get it completely right.
Until issue is fixed from an reviewed security model neither Tomoyo or Apparmor should be used in production systems. Since using a defective security system in Linux is equal to using a defective anti-virus.
Next major weakness is between all the security systems of Linux there is not a single file format to describe what they all require from an application developers point of view. So distributions create there own security profile. The teams who know the most about an application are the developers not the maintainers in distributions.
Distributions sticking to old security designs is also a major problem. Would you really by a old car with defective tires. Linux kernel basically keeps old security designs alive for backwards compatibility so the old distributions can be kept running. Yet for some reason people seam to think its still fine if its still in kernel. Sorry no old defective should replaced with something better when distributions rework there packages.
Suid bits have been able to be not used for a while now. Suid bits change user to the owner of the file to perform an task. Anyone else see the problem with running ping as root and 1000's of other programs. Its like a huge kick me sign a single one have an exploitable defect and you are stuffed. Posix file capabilities the Linux version of them is designed to do away completely with giving application a fully non controlled root access. Ping only need higher network access no other special powers. Yet there are still thousands of distributions out there when you check ping its got too many privileges. Other side effect of what they have done. If you build the Linux kernel with root user having privileges removed then try to run there distribution on it the complete distribution stops dead. Distribution will posix file capabilities setup right does not require root. Linux kernel has recently had to go as far as making it imposable to build without posix file capabilities because lots distribution were going as far as disabling them. At the rate its going one day Linux kernel is going to have to release without a root user by default to make some of these distribution pull there head out sand and fix the security problems. Where are the pitch forks of users killing Distributions why should they get a free ride on not keeping security designs up to date.
Configuration. This is a major security issue all distributions alway have wanted to go there own path on this. This leads to a hard to maintain system to keep configured right. It is requiring freedesktop.org to come in and sort the issue out between application developers. Please be aware policy kit at freedesktop.org has very few distributions who show any great interest in creating a common solution. Same again why are not users of distributions not up there ribs to get a common configuration system.
If you are going to attack somewhere get it right. Complancy is a big problem in the Linux World. It will not stay secure if you don't speek up particularly in your distribution and media.
Subscribe to:
Post Comments (Atom)
1 comments:
Nice to see you again, oiaohm! Have a nice 2009!
Is the path problem related to the hard links? If so, one could say that the default system (excluding the user area) with apparmor is impervious to such exploits, because all important binaries are guarded by apparmor and default permissions.
I consider selinux the best solution technically, however it's very cumbersome to require recompiling almost every binary for it. Apparmor can be applied transparently and very easily, I regard it as a temporary solution until selinux becomes easier to deploy. Until then, they practically look equally secure to me.
Post a Comment