ArchLinux security advisories

jfryman · 2006-04-15 02:24:26

Hey all!

I've noticed that there is not much related to the security aspect of ArchLinux as of yet... security upgrades notices or whatnot. I've been involved with Arch now for a few months, and I really enjoy the distribution and would like to contribute in some way.

I do work as a security professional, and would like to take a look at:
1) Integrating SELinux into the kernel.
I'm not sure how much interest there is into integrating SELinux into the default kernel and making sure the policy matches up with Arch.
2) Trying to get an active security maintance list up and going.

I've noticed for the most part that major advisories are taken care of right away, without much notice to the users. However, other packages fall through the cracks (Take today's Firefox update to 1.5.0.2... updated by the end of the day, but Thunderbird, also vulnerable to the same buffer overflows and explioits due to a common codebase was not updated) I'm not sure if everyone is assumed to be running a system sync on a daily or weekly basis. How is the security notification being handled as of yet?

I do not want to come off as critical at all! Thus far I've truly enjoyed using this distribution, and would like to find a way that I can give back to the community, especially since I am not a programmer.

Thoughts, ideas, suggestions? All welcome!

-James

brain0 · 2006-04-15 03:02:40

jfryman wrote:

I've noticed that there is not much related to the security aspect of ArchLinux as of yet... security upgrades notices or whatnot.

It is true that there is not much done for security. However, alone the fact that Arch is bleeding edge, every vulnerable program will be fixed as soon as it is updated (assuming that the authors fix the bug).

I've been involved with Arch now for a few months, and I really enjoy the distribution and would like to contribute in some way.
I do work as a security professional, and would like to take a look at:
1) Integrating SELinux into the kernel.
I'm not sure how much interest there is into integrating SELinux into the default kernel and making sure the policy matches up with Arch.

There is one thing you can do. You can create packages that provide SELinux functionality and publish them. As long as they go the Arch way of simplicity, things might have a good chance to be integrated into the distribution.
There is the kernel, but I believe (without knowing much about SELinux) that there are other modifications necessary. If you keep the number of modifications necessary low and don't break non-SELinux Arch, I think integration into Arch will be likely.

You say you are a security professional, so with your knowledge and experience in that area, you can start this and maybe others will help. You will see quickly how many people are interested.

2) Trying to get an active security maintance list up and going.

The problem is, you have to find someone who is in charge of such a list. If you volunteer, that will not be a big problem. I don't think the devs will spend even more of their time on this, but if you can establish a security team that will surely be appreciated.

I've noticed for the most part that major advisories are taken care of right away, without much notice to the users. However, other packages fall through the cracks (Take today's Firefox update to 1.5.0.2... updated by the end of the day, but Thunderbird, also vulnerable to the same buffer overflows and explioits due to a common codebase was not updated) I'm not sure if everyone is assumed to be running a system sync on a daily or weekly basis. How is the security notification being handled as of yet?

The mozilla team has not released an updated version of Thunderbird yet, but it is likely they will do so soon - and Arch will be updated.

I do not want to come off as critical at all! Thus far I've truly enjoyed using this distribution, and would like to find a way that I can give back to the community, especially since I am not a programmer.

Criticism is important to ensure the ongoing improvement of a project such as Arch. And I think everyone here appreciates constructive criticism.

Gullible Jones · 2006-04-15 04:15:23

jfryman wrote:

Hey all!
I've noticed that there is not much related to the security aspect of ArchLinux as of yet... security upgrades notices or whatnot. I've been involved with Arch now for a few months, and I really enjoy the distribution and would like to contribute in some way.
I do work as a security professional, and would like to take a look at:
1) Integrating SELinux into the kernel.
I'm not sure how much interest there is into integrating SELinux into the default kernel and making sure the policy matches up with Arch.
2) Trying to get an active security maintance list up and going.
I've noticed for the most part that major advisories are taken care of right away, without much notice to the users. However, other packages fall through the cracks (Take today's Firefox update to 1.5.0.2... updated by the end of the day, but Thunderbird, also vulnerable to the same buffer overflows and explioits due to a common codebase was not updated) I'm not sure if everyone is assumed to be running a system sync on a daily or weekly basis. How is the security notification being handled as of yet?
I do not want to come off as critical at all! Thus far I've truly enjoyed using this distribution, and would like to find a way that I can give back to the community, especially since I am not a programmer.
Thoughts, ideas, suggestions? All welcome!
-James

I agree with you about security, but I think SELinux is pretty much out. It would be nice to have the option of a hardened stock kernel though, a la Gentoo - which, BTW, has a hardened 2.6.16 kernel available.

As for security notices, that stuff is usually done via Flyspray around here... If you think there's a better way please feel free to tell us.

Regarding the Gecko applications, the reason for the lack of updates to XULRunner and Thunderbird is Mozilla.org taking their damned time with their less famous products.

iBertus · 2006-04-15 04:44:32

I believe someone else tried to get a security team together awhile back and had limited sucess. You may find that thread with a quick search.

iphitus · 2006-04-15 05:19:46

Gullible Jones wrote:

I agree with you about security, but I think SELinux is pretty much out. It would be nice to have the option of a hardened stock kernel though, a la Gentoo - which, BTW, has a hardened 2.6.16 kernel available.
As for security notices, that stuff is usually done via Flyspray around here... If you think there's a better way please feel free to tell us.
Regarding the Gecko applications, the reason for the lack of updates to XULRunner and Thunderbird is Mozilla.org taking their damned time with their less famous products.

the git/unstable releases of beyond contain everything from gentoo's hardened. I'll provide a pkgbuild for these releases.. soon.

http://forums.gentoo.org/viewtopic-t-450025.html

WillySilly · 2006-04-15 05:20:11

http://wiki.archlinux.org/index.php/Security_Task_Force

jfryman · 2006-04-15 12:38:41

Gullible Jones wrote:

As for security notices, that stuff is usually done via Flyspray around here... If you think there's a better way please feel free to tell us.

I think this would be a great medium to inform the developers of a particular bug or security related issue, but even with most Arch Users being smarter than the average bear, that might require them to dig through that daily...

A simple mailing list or RSS feed detailing updates sent to the main repos seems to be more of my goal. If that takes off, we can include the AUR repos for any of the developers that want to participate. It may help with the credibility of a maintainer/package.

jfryman · 2006-04-15 12:41:37

WillySilly wrote:

http://wiki.archlinux.org/index.php/Security_Task_Force

Did this ever go anywhere? It seems like there was a momentum, I'm suprised nothing ever came of this.

I think something like this should be done.... if for anything to keep users updated of any threats that they might not otherwise be aware of.

Were there any final approvals from TU's or Developers that would otherwise stop this from proceeding?

Gullible Jones · 2006-04-15 15:44:27

iphitus wrote:

Gullible Jones wrote:
I agree with you about security, but I think SELinux is pretty much out. It would be nice to have the option of a hardened stock kernel though, a la Gentoo - which, BTW, has a hardened 2.6.16 kernel available.
As for security notices, that stuff is usually done via Flyspray around here... If you think there's a better way please feel free to tell us.
Regarding the Gecko applications, the reason for the lack of updates to XULRunner and Thunderbird is Mozilla.org taking their damned time with their less famous products.
the git/unstable releases of beyond contain everything from gentoo's hardened. I'll provide a pkgbuild for these releases.. soon.
http://forums.gentoo.org/viewtopic-t-450025.html

... Wow, that is cool, I'll have to try that. The problem is -beyond isn't a stable kernel, what I think is needed is an alternate, hardened stock kernel - kernel26hardened or somesuch.

dtw · 2006-04-15 16:15:44

"Your not paranoid if they're really after you!"

They're not after you though...

Gullible Jones · 2006-04-15 20:53:32

Yes they are, they are called "script kiddies".

mindtriggerz · 2006-04-16 07:08:16

If I remeber correctly, SElinux was a PITA for me on FC (3 I think..?)
I suppose you could create a patchset if you felt like it, and try to get it into community.

WillySilly · 2006-04-16 07:29:51

jfryman wrote:

WillySilly wrote:
http://wiki.archlinux.org/index.php/Security_Task_Force
Did this ever go anywhere? It seems like there was a momentum, I'm suprised nothing ever came of this.
I think something like this should be done.... if for anything to keep users updated of any threats that they might not otherwise be aware of.
Were there any final approvals from TU's or Developers that would otherwise stop this from proceeding?

Not sure, but if some people wanted to do this I'd say go for it

iphitus · 2006-04-16 08:04:48

... Wow, that is cool, I'll have to try that. The problem is -beyond isn't a stable kernel, what I think is needed is an alternate, hardened stock kernel - kernel26hardened or somesuch.

beyond is stable.
beyond-git isnt stable.

beyond-git is now available in the AUR. It has all of the hardened patchset, grsec, pax, etc.

James

pixel · 2006-04-16 11:56:02

I'm watching Gentoo Security Advisories (they list which version of the vanilla package fix the issues)
http://www.gentoo.org/security/en/glsa/index.xml

It would be nice if Arch had the similar Security Advisories list but i guess there is noone around who want to do that.

Gullible Jones · 2006-04-16 12:45:05

mindtriggerz wrote:

If I remeber correctly, SElinux was a PITA for me on FC (3 I think..?)
I suppose you could create a patchset if you felt like it, and try to get it into community.

Yeah, there are different ways of hardening kernels... IIRC GrSecurity may be a bit less of a pain than SELinux, and PaX doesn't actually involve Mandatory Access Control.

Iphitus: if the Gentoo hardened patches prove stable, will the next version of beyond-stable have them?

iphitus · 2006-04-16 12:58:53

probably not. from what i've seen, they're wreaking havoc.

Gullible Jones · 2006-04-16 13:56:06

Damn it. :x

iphitus · 2006-04-16 14:31:31

I'm not willing to add them on multiple grounds:
- many users will use them and think they're secure. Dont tell me it wont happen, because it will.
- some of those patches are pretty invasive, and from what I have seen, they are causing havoc for the git kernel.
- I think such patches are stupid. you can secure your machine to a reasonable state without any extra kernel based crud. beyond that and you have reached paranoia or are working in an area where security is of extreme importance, at which stage, you'd probably not trust me to add the patches or would be better off doing it yourself.

James

Gullible Jones · 2006-04-16 14:46:21

Okay, I get the idea... I do wish Linux had a bit more innate protection against buffer overflows though. Ah well, I suppose I'll just wait for GCC 4.1.

Neuro · 2006-04-16 15:12:04

Okay, I get the idea... I do wish Linux had a bit more innate protection against buffer overflows though. Ah well, I suppose I'll just wait for GCC 4.1.

What will it bring?

Also, I don't get it why do people want either GrSec or SELinux on their desktops. I mean, ok, on the server they are useful (I myself use GrSec), because of the need to limit the trust towards the users of the system. But on the desktop? I mean, you are running your apps, you are the main user and the administrator of the system. Hardening the kernel won't give you much, since you already know (or should know) if the code you're running can be trusted.

However, a vulnerability listing sounds nice.

Gullible Jones · 2006-04-16 15:28:14

Because buffer overflows pop up all the time in commonly used apps, e.g. MPlayer. Actually, come to think of it, I wonder if GCC 4.0.x's pickiness with regard to certain code is an attempt to curb such problems.

About GCC 4.1, IIRC that will implement some new security features, stack smashing protection like in ProPolice I think...

iphitus · 2006-04-17 01:43:16

They dont protect against buffer overflows. They might claim to, but they wont always pick them up. In saying that, you're falling into reason 1, as there's still a helluva lot of ways to access a system and none of these tools will do what you seem to believe they will..

James

user · 2006-04-17 02:00:08

Gullible Jones wrote:

About GCC 4.1, IIRC that will implement some new security features, stack smashing protection like in ProPolice I think...

Yes there is
http://www.trl.ibm.com/projects/security/ssp/

Gullible Jones · 2006-04-17 02:04:58

iphitus wrote:

They dont protect against buffer overflows. They might claim to, but they wont always pick them up. In saying that, you're falling into reason 1, as there's still a helluva lot of ways to access a system and none of these tools will do what you seem to believe they will..
James

Yes, there are always a lot of ways in, but it's prudent to reduce the number of them. I'm not saying that a hardened kernel is an excuse to use a weak password, or anything braindead like that, I'm just pointing out that simple things like buffer overflows can be exploited by malicious software to gain system access without the user doing anything stupid. I know Linux hasn't gotten like Windows yet, where you can get infected without even doing anything, but having been there I don't want to go that way again. I'm just saying that some things need to be done to remove some of the potential for exploits that are beyond users' control; the rest a healthy dose of paranoia can handle.

Regarding hardened kernels, though... you're saying that they're not actually very effective in the purpose they were designed for? I could definintely believe that, but could you give me an example?

Arch Linux

#1 2006-04-15 02:24:26

ArchLinux security advisories

#2 2006-04-15 03:02:40

Re: ArchLinux security advisories

#3 2006-04-15 04:15:23

Re: ArchLinux security advisories

#4 2006-04-15 04:44:32

Re: ArchLinux security advisories

#5 2006-04-15 05:19:46

Re: ArchLinux security advisories

#6 2006-04-15 05:20:11

Re: ArchLinux security advisories

#7 2006-04-15 12:38:41

Re: ArchLinux security advisories

#8 2006-04-15 12:41:37

Re: ArchLinux security advisories

#9 2006-04-15 15:44:27

Re: ArchLinux security advisories

#10 2006-04-15 16:15:44

Re: ArchLinux security advisories

#11 2006-04-15 20:53:32

Re: ArchLinux security advisories

#12 2006-04-16 07:08:16

Re: ArchLinux security advisories

#13 2006-04-16 07:29:51

Re: ArchLinux security advisories

#14 2006-04-16 08:04:48

Re: ArchLinux security advisories

#15 2006-04-16 11:56:02

Re: ArchLinux security advisories

#16 2006-04-16 12:45:05

Re: ArchLinux security advisories

#17 2006-04-16 12:58:53

Re: ArchLinux security advisories

#18 2006-04-16 13:56:06

Re: ArchLinux security advisories

#19 2006-04-16 14:31:31

Re: ArchLinux security advisories

#20 2006-04-16 14:46:21

Re: ArchLinux security advisories

#21 2006-04-16 15:12:04

Re: ArchLinux security advisories

#22 2006-04-16 15:28:14

Re: ArchLinux security advisories

#23 2006-04-17 01:43:16

Re: ArchLinux security advisories

#24 2006-04-17 02:00:08

Re: ArchLinux security advisories

#25 2006-04-17 02:04:58

Re: ArchLinux security advisories

Board footer