Linux-Development-Sys Digest #453, Volume #8 Tue, 30 Jan 01 11:13:11 EST
Contents:
Re: can Linux be secure? (Johan Kullstam)
Re: can Linux be secure? (Erik de Castro Lopo)
Re: how to trace Xlib calls? (Kasper Dupont)
Re: 2.4.1pre and 2.4.0ac problem: __buggy_fxsr_alignment undefined (Kasper Dupont)
Re: Kernel's HARD reset (Kasper Dupont)
Re: ext3 patch for 2.4 ? (Kasper Dupont)
WINE woes (Anonymous)
Re: 512M Physical Memory (Kasper Dupont)
Re: WINE woes (Kasper Dupont)
Re: PCI bus access (Grant Edwards)
check on data on fd ("O.Petzold")
Re: How to Recompile the Linux Kernel? (Toby Haynes)
Re: can Linux be secure? (Toby Haynes)
----------------------------------------------------------------------------
Subject: Re: can Linux be secure?
From: Johan Kullstam <[EMAIL PROTECTED]>
Date: Tue, 30 Jan 2001 11:16:34 GMT
[EMAIL PROTECTED] writes:
> On Mon, 29 Jan 2001 20:18:09 GMT Erik de Castro Lopo <[EMAIL PROTECTED]> wrote:
> | OpenBSD is installs "secure by default". You then have to add stuff
> | to make it insecure^H^H^H^H^H^H fuctional.
>
> Are you saying functional == insecure?
yes. any functionality implies risk. my refridgerator is quite
secure from remote exploit, yet it makes a lousy ftp server.
i packet firewall out many "services". for example, i cannot telnet
in. that's a functionality i've traded for security.
--
J o h a n K u l l s t a m
[[EMAIL PROTECTED]]
Don't Fear the Penguin!
------------------------------
From: Erik de Castro Lopo <[EMAIL PROTECTED]>
Subject: Re: can Linux be secure?
Date: Tue, 30 Jan 2001 11:40:48 GMT
[EMAIL PROTECTED] wrote:
>
>
> My basic concern is with the kernel.
The kernel has had a very small number of local exploits over the
last few years. (I don't know of any remote exploits.) These have
been found and fixed in a matter of hours. Its simply a matter of
you, the administrator, applying the fixes if and when they are
found.
On a statistical basis you are unlikely to be one of the first
people hacked unless you run a high profile machine like
slashdot.org or microsoft.com.
<snip>
> One approach to security I have designed is to use more than one
> different platform in redundant services. For example, run DNS
> services on a concurrent set of Linux, OpenBSD, and Solaris. Then
> if one of them becomes exploitable, just pull the plug on it.
Nice approach if you can afford it but its overkill. Remember that
99.9999% of all system crackers are script kiddies who only know
how to run whatever the latest exploit is.
You need to make a value judgement about what it is you are protecting.
If its the server for a small business web page your approach is
overkill. If you are trying to protect tens of thousands of credit
card numbers then there is a better way. Machines with stroed credit
card numbers should no be connected to the public internet.
One way to protect against the script kiddies to to run Linux on
a non-x86 computer. The scripts always come out with stack smashing
code for x86 before its written for other architectures. By runnng
Linux on PPC, Sparc or Alpha you give yourself just a little more
time to secure your system.
<snip>
> Are you saying functional == insecure?
That was tongue in cheek but not too far from reality. Some people
say that the only way to truely secure a computer is to unplug it from
the net, turn it off, lock it in a vault, lower the vault into a
pit and fill the pit with concrete. Its no longer useful but it is
secure.
All that aside, if you do the standard Debian and OpenBSD installs on
two identical machine you will get one machine thats ready to run as a
workstation or server on a secure LAN (but not the internet) and one
machine that has almost nothing on it and is safe to connect to the
public internet.
> | Debian is audited almost as heavily as OpenBSD but the default
> | install is insecure just like most other distributions.
>
> So it defeats the purpose.
Thats not true. Debian (and most other Linux distributions) enables
everything by default (even NFS) while OpenBSD enables almost nothing
by default.
You therefore start at different points. On Debian you have to disable
things and turn off options until you get a safe and useful machine.
With OpenBSD you start with a safe machine and add things until
you get a useful one.
This is due to the aims of the two projects being so different. The
aim of the Debian project is to create a well debugged system,
with a complete set of software to do just about anything. The aim
of the OpenBSD project is to create the most secure out-of-the-box
system on the planet.
Different aims lead to differnt results.
Erik
--
+----------------------------------------------------------+
Erik de Castro Lopo [EMAIL PROTECTED] (Yes its valid)
+----------------------------------------------------------+
Q. What is the difference between Jurassic Park and Microsoft?
A. One is an over-rated high tech theme park based on prehistoric
information and populated mostly by dinosaurs, the other is a
Steven Spielberg movie.
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: how to trace Xlib calls?
Date: Tue, 30 Jan 2001 12:56:34 +0100
Mike McDonald wrote:
>
> In article <953dbs$cjl$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] writes:
> > Hello,
> >
> >
> > I would like to trace which Xlib calls are performed from Java Virtual
> > Machine. I need to trace these calls at X server side because this
> > application is Java based and no one tracing tool (for example 'ltrace' or
> > 'sniffit') can deep to 2nd calls, performed from called Java libs. As I
> > understand, I need to compile Xlib from sources with corresponded printf(s),
> > but I don't want to spend time in playing with Xlib sources.
> >
> > Does anybody know how could I solve this problem? Which tools should I use to
> > catch Xlib calls at X server side or perhaps there is such a flag in existing
> > X server environment? Any other suggestions?
>
> What you want is called an X proxy server. They accept X connections and the
> X protocol packets, do something with them, and then forward them onto a real
> X server. The do something with them part could be to print them out! There's
> two that came with my RH6.2 system so it shouldn't be too hard to find the
> soucres of one and hack it to do the printing. (There might already be one on
> x.org that does it.)
One of them is called Xnest, I don't know about the other.
>
> Mike McDonald
> [EMAIL PROTECTED]
--
Kasper Dupont
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: 2.4.1pre and 2.4.0ac problem: __buggy_fxsr_alignment undefined
Date: Tue, 30 Jan 2001 13:09:02 +0100
J�rgen Koslowski wrote:
>
> Since nobody has responded to this, let's try it once more:
> This happens on an old Pentium 133 using (p)gcc-2.95.2.1.
>
> J�rgen Koslowski ([EMAIL PROTECTED]) wrote:
> : Hi,
>
> : When trying to compile the latest 2.4.1pre or 2.4.0ac kernels, I get
> : the following error message at the end:
>
> : -o vmlinux
> : init/main.o: In function `check_fpu':
> : init/main.o(.text.init+0x53): undefined reference to `__buggy_fxsr_alignment'
> : make: *** [vmlinux] Error 1
>
> : The offending function occurs in linux/include/asm-i386/bugs.h.
>
> and nowhere else in the source tree.
>
> : The 2.4.0 kernel compiled fine and runs ok. Any ideas?
>
> : -- J�rgen
>
> : --
> : J�rgen Koslowski If I don't see you no more on this world
> : ITI, TU Braunschweig I'll meet you on the next one
> : [EMAIL PROTECTED] and don't be late!
> : http://www.iti.cs.tu-bs.de/~koslowj Jimi Hendrix (Voodoo Child, SR)
>
> --
> J�rgen Koslowski If I don't see you no more on this world
> ITI, TU Braunschweig I'll meet you on the next one
> [EMAIL PROTECTED] and don't be late!
> http://www.iti.cs.tu-bs.de/~koslowj Jimi Hendrix (Voodoo Child, SR)
It sounds like something similar to the get_user and
put_user macros.
The get_user and put_user macros can only be called
with elements of size 1, 2 or 4. In the macro there
is a switch on sizeof applied to the argument. In
the default case there is a reference to a
nonexisting function. This reference is removed by
the optimizer. This means that if you don't optimize
or if there are invalid calls to the macro, the
program cannot link.
Search through the header files for the string
__buggy_fxsr_alignment. If you don't find it it is
probably made up by the ## preprocessor concatenate
directive, then search for the words buggy, fxsr
and alignment.
--
Kasper Dupont
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.misc
Subject: Re: Kernel's HARD reset
Date: Tue, 30 Jan 2001 13:20:49 +0100
bill davidsen wrote:
>
> In article <[EMAIL PROTECTED]>,
> David Vidal Rodriguez <[EMAIL PROTECTED]> wrote:
> | OK, I think I have it. The kernel option "reboot=warm" should do it,
> | shouldn't it?
>
> From memory this works on the next boot.
>
> | Is there a /proc-style solution for the same?
>
> Therefore by the time you're up it's too late.
>
> You can probably write a driver to diddle the bits in the memory which
> control this, although I notice that a number of old BIOSs (like yours?)
> don't honor this and boot cold every blessed time.
>
> --
> bill davidsen <[EMAIL PROTECTED]> CTO, TMR Associates, Inc
> "I am lost. I am out looking for myself. If I should come back before I
> return, please ask me to wait." -seen in a doctor's office
There are more parameters to reboot:
warm - skip memory test
cold - perform memory test
bios - reboot by jumping to bios
hard - reboot using hardware.
The default under Linux is:
reboot=cold,hard
To do it most similar to rebooting under DOS you
should write:
reboot=warm,bios
But I think the hard option is supposed to work the
same as the reset button on the computer, but of
course broken hardware might exist somewhere.
--
Kasper Dupont
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: ext3 patch for 2.4 ?
Date: Tue, 30 Jan 2001 13:32:10 +0100
Thomas Huber wrote:
>
> Hello,
>
> To reduce the checking time on my 14GB Partition, I'd
> like to use a journaling file system. Reiserfs is very
> good (I use it at home) and efficient, but the existing ext2
> can be upgraded to reiserfs only by backing everything up,
> creating the fs and copying back. As I have no extra disk
> space, this is not possible here at the moment. Now the ext3fs
> can be installed from ext2 without 'destruction', which is
> what I want. However, I wasn't able to find the ext3fs patch
> for linux 2.4. (only some old 2.2.x). Has ext3fs stopped from
> being developped ? Any news ?
>
> Thanks,
>
> Thomas
Is it really safe to switch from ext2 to ext3
without making a backup first? Better safe
than sorry.
--
Kasper Dupont
------------------------------
Subject: WINE woes
Date: Tue, 30 Jan 2001 06:40:19 -0600
From: Anonymous <[EMAIL PROTECTED]>
Okay, I've asked without much success, but I will try again in another
group. Please do not ban me for being a newbie *grin*
1. WINE - The LiNUX Mandrake package (I bought at the store) installs with
just about everything I need to get started; however, I have since then
found and installed everything else I needed to run a MUD server and the
like. Now I want to use some of my Windows programs, but can not find the
"flex" package to finish compiling and installing WINE. I would love to
use most of my Windoze stuff under LiNUX. Basically some programs I
registered. The basic installation of Mandrake installs WINE (older
version) and is not completely installed correctly.
2 - Configuring WINE for proper operation: If someone could help me with
this as well, I would be eternally grateful, and would be willing to give
up half my brain, as I wouldn't need it anymore after that *grin*
--
Charles [EMAIL PROTECTED]
Linux Registration#: 203445 at: http://counter.li.org
If you screw it up, they will never forget.
Do it right, and they never remember.
--------== Posted Anonymously via Newsfeeds.Com ==-------
Featuring the worlds only Anonymous Usenet Server
-----------== http://www.newsfeeds.com ==----------
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.powerpc
Subject: Re: 512M Physical Memory
Date: Tue, 30 Jan 2001 13:37:30 +0100
Steven Wu wrote:
>
> Hi,
>
> I need a pointer to point out where in the kernel src code which makes
> the linux sees only 512M physical memory.
>
> thanks.
> steve
On i386 you can add a mem=xxxM option to
the kernel if autodetection does not
work, or you just want to use less than
you actually have.
I don't know if any such option exist on
PowerPC, but I don't see why it should
not.
--
Kasper Dupont
------------------------------
From: Kasper Dupont <[EMAIL PROTECTED]>
Subject: Re: WINE woes
Date: Tue, 30 Jan 2001 13:47:32 +0100
Anonymous wrote:
>
> Okay, I've asked without much success, but I will try again in another
> group. Please do not ban me for being a newbie *grin*
>
> 1. WINE - The LiNUX Mandrake package (I bought at the store) installs with
> just about everything I need to get started; however, I have since then
> found and installed everything else I needed to run a MUD server and the
> like. Now I want to use some of my Windows programs, but can not find the
> "flex" package to finish compiling and installing WINE. I would love to
> use most of my Windoze stuff under LiNUX. Basically some programs I
> registered. The basic installation of Mandrake installs WINE (older
> version) and is not completely installed correctly.
>
> 2 - Configuring WINE for proper operation: If someone could help me with
> this as well, I would be eternally grateful, and would be willing to give
> up half my brain, as I wouldn't need it anymore after that *grin*
> --
> Charles [EMAIL PROTECTED]
> Linux Registration#: 203445 at: http://counter.li.org
>
> If you screw it up, they will never forget.
> Do it right, and they never remember.
>
> --------== Posted Anonymously via Newsfeeds.Com ==-------
> Featuring the worlds only Anonymous Usenet Server
> -----------== http://www.newsfeeds.com ==----------
Hmm, maybee Mandrake does not install flex by default.
But I believe it must be part of the Mandrake package.
Otherwise you can download it from RedHat:
<URL:http://www.redhat.com/swr/i386/flex-2.5.4a-9.i386.html>
<URL:http://www.redhat.com/swr/i386/flex-2.5.4a-11.i386.html>
--
Kasper Dupont
------------------------------
From: [EMAIL PROTECTED] (Grant Edwards)
Crossposted-To:
comp.os.linux.development.apps,comp.os.linux.hardware,comp.os.linux.misc
Subject: Re: PCI bus access
Date: Tue, 30 Jan 2001 13:13:05 GMT
In article <955ggk$7fa$[EMAIL PROTECTED]>, bjrosen wrote:
>Is there anyway to do this without a driver?
Not really.
>I'm trying to do the same
>thing for a hardware development diagnostic and I haven't been able to
>figure out which #includes and #defines are required to make ioremap
>work. I'm looking for the simplest way to get at PCI memory space.
Write a driver module. If all you want to do is implement
mmap() to allow user programs access to PCI memory space, it's
really pretty simple. The link below points to an example of
such a driver (I wrote it to enable user-mode diagnostic
programs to access a PCI prototype I was debugging).
ftp://ftp.visi.com/users/grante/stuff/demomm.tar.gz
Change the vendor/device IDs, tweak on the size of mapped
regions if they're not 4K, and Bob's your uncle.
--
Grant Edwards grante Yow! Now that I have my
at "APPLE," I comprehend COST
visi.com ACCOUNTING!!
------------------------------
From: "O.Petzold" <[EMAIL PROTECTED]>
Subject: check on data on fd
Date: Tue, 30 Jan 2001 15:04:39 +0100
Hello,
how can I check that data is arrived on my filedescriptor ?
I guess I could use select. How can I use it on example and
what will follow than since I've read that the handler doesn't
should have to much code. How can I notify my program
in praxis ??
Thanks
Olaf
------------------------------
From: Toby Haynes <[EMAIL PROTECTED]>
Subject: Re: How to Recompile the Linux Kernel?
Date: 30 Jan 2001 09:54:57 -0500
On Sun, 28 Jan 2001, [EMAIL PROTECTED] wrote:
> I need help about how can i recompile the Linux Kernel. I�m using Mandrake
> 7.0 and i must use a small recompiled Linux kernel version capable of running
> on a 486 that is suposed could provide wireless internet connection for
> laptops in a building.
http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html
Has everything you need.
Cheers,
Toby Haynes
--
Toby Haynes
The views and opinions expressed in this message are my own, and do
not necessarily reflect those of IBM Canada.
------------------------------
From: Toby Haynes <[EMAIL PROTECTED]>
Subject: Re: can Linux be secure?
Date: 30 Jan 2001 10:03:14 -0500
On Tue, 30 Jan 2001, [EMAIL PROTECTED] wrote:
> On Mon, 29 Jan 2001 20:18:09 GMT Erik de Castro Lopo <[EMAIL PROTECTED]>
> wrote:
>| [EMAIL PROTECTED] wrote:
>|>
>|> Note that the question is "can", not "is". Also note that I did
>|> say "Linux" and not a distribution such as "Redhat", "SuSE", or
>|> "Debian".
>|
>| Of course it can. The problem is that all of the major deistribution
>| install everything by default. It is this default installation which
>| is insecure. For instance, all the distributions I have seen enable
>| NFS by default even though less than 10% of people probably use it.
>| Running NFS on the public internet is just asking to be hacked.
>|
>| To make any of these systems secure is trival for anyone with a little
>| experience. Its basically a matter of installing the latest security
>| patches and disabling everything that isn't needed.
>
> My basic concern is with the kernel. If there are issues with the
> server applications, such as apache, I can address it with them, or
> "back port" the audited OpenBSD code, or at least take from the same
> version.
If you are worried about exploits which attain root status and/or fiddle the
kernel by trick-loading kernel modules, then I suggest you take a look at
LIDS. http://www.lids.org/ details most of what you need to know. As a brief
(and incomplete) summary:
- Harden your system utilities by making them immutable and then removing the
ability to remove the immutable flag (stops trojanned utilities).
- Lock your log files so they can only be appended to, not editted (stops
rootkits covering their tracks)
- Harden the kernel so that after the boot sequence completes, no more kernel
modules can be inserted to compromise the system.
Administration of the system once LIDS is in place is done with the lidsadm
tool, which you should keep on a removable medium separate from the server
during normal operation. (i.e. stick it on a floppy and only mount it when you
need to rotate the logs, for example).
There are also libraries to harden the stack against buffer overflow attacks,
which will make life a lot harder for the average cracker.
Cheers,
Toby Haynes
--
Toby Haynes
The views and opinions expressed in this message are my own, and do
not necessarily reflect those of IBM Canada.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to the
comp.os.linux.development.system newsgroup.
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Development-System Digest
******************************
