
The State of Linux Security - kungfudoi
https://linux-audit.com/the-state-of-linux-security/
======
0xcde4c3db
> Backdoor in Linux Mint (February 2016)

> Stop using MD5. If you still use SHA1, then add also the SHA256 or SHA512
> hashes.

How did hash strength have anything to do with this? Unless my sources are
completely out of whack, the MD5 of the backdoored ISO didn't match the
official ISO. My understanding is that there _is_ a vulnerability along these
lines, but it requires the official build process to be compromised, whereas
this was an edit on the Mint website to point to a malicious file on an
attacker-controlled server.

~~~
maxt
Interesting that the site uses TLS, but most of the servers containing the
download use plain old HTTP, which as we know, can be easily subjected to a
MITM attack.

[https://linuxmint.com/edition.php?id=225](https://linuxmint.com/edition.php?id=225)

Only a few of the ISOs are delivered with TLS/HTTPS, like this one:

[https://mirrors.c0urier.net/linux/linuxmint/iso/stable/18.1/...](https://mirrors.c0urier.net/linux/linuxmint/iso/stable/18.1/linuxmint-18.1-cinnamon-32bit.iso)

~~~
dublinben
Properly signed images shouldn't need to be delivered over a secure
connection. As long as you can receive a signed hash, and the signing key
itself over a secure connection, you can obtain the image itself from
anywhere.

~~~
garrettr_
True, although sometimes it's good to deliver signed updates over a secure
connection for defense-in-depth - for example, to mitigate vulnerabilities
like the recent CVE-2016-1252.

~~~
dom0
+1 "but some software has it's own crypto"¹ is kinda bad excuse for actively
avoiding additional security - like Debian has on their mirrors (I think there
even is (was?) an FAQ entry why there are no HTTPS mirrors, stating that APT
packages are securely signed and that's all you'd need).

¹ I'm aware that APT actually uses GPG, but it does (did) so fishy
manipulations both before and after invoking GPG on the signed files, that, if
this would've happened in a corporate setting, I'd have rather peculiar
questions for the employee who wrote that code.

That recent CVE, and also issues in software that I co-maintain, plus all the
other CVEs that are delivered to my inbox changed my mind on open source quite
a lot. Open source is completely worthless if no one actually bothers to read
the code; I doubt anyone actually read those portions of the APT code, because
anyone with a secure coding or crypto coding background should be alerted
already by the _function names_ (look them up). Instead we all always assume
"ah well people use it and someone probably checked that anyway... should be
good to go!". NO. It's not good to go. Read [the] code.

~~~
cyphar
> ¹ I'm aware that APT actually uses GPG, but it does (did) so fishy
> manipulations both before and after invoking GPG on the signed files, that,
> if this would've happened in a corporate setting, I'd have rather peculiar
> questions for the employee who wrote that code.

From the openSUSE, I brought up my concerns about us not using HTTPS and it
boils down to the fact that few mirrors want to host stuff over SSL. And if
not many mirrors will do it, the benefit to users is diminished (you can't
force the usage of SSL on the client).

On the plus side, openSUSE does serve a copy of the GPG signing key for the
ISO over HTTPS (from the main site). I just wish that there were less steps
required to be sure that the ISO is official.

------
lostmsu
Wait, Linux did not have stack guard pages and r-x code pages until 4.9?

~~~
luch
Pax/Grsecurity fork probably has it for some time, but not mainline tree (i.e
"torvalds" linux).

------
ctz
Linux doesn't power the smallest devices in the world. It's about two orders
of magnitude too large out at the low end.

~~~
ancarda
Out of interest, what does?

~~~
foofoo55
The almost-smallest devices are powered by LoopOS(tm):

    
    
      while(1){ }

~~~
emidln
So slow and bloated! Get with 2.0:

    
    
        for(;;){ }

------
snvzz
Linux will always be insecure. There's no fixing millions of lines of code
running in supervisor mode.

What will happen instead is that the world will move on to a microkernel-based
OS.

~~~
SEJeff
Ok Mr Tanenbaum, Linus and you already had this argument </sarcasm>

~~~
rastapasta42
Guys...All of you are irrelevant. Doesn't matter if one driver can access
another. I just need to read data in user home directory and I can find out
everything I need.

Or go to random website look for .Git folders, recreate directory structure
from object file, get MySQL passwords and steal user data (I'm not responsible
for anyone using my comment for illegal purposes)

Microkernals are supposed to make OSes more stable but they don't. Linux work
good enough due to automated testing and amazing kernel engineers.

GNU Hurd, Mach 3, Minix - so far track record isn't good. Stop flamewaring and
fire up vim. Write a microkernals if you think you can do a better job

~~~
snvzz
> Doesn't matter if one driver can access another. I just need to read data in
> user home directory and I can find out everything I need.

Well, you'd need the adequate permissions to do that in the firstr place.

Or you'd have to exploit the VFS (good luck with that), the disk driver (which
is hidden behind VFS, good luck with that), or some other driver which
hardware is for some reason not isolated via iommu (good luck with that).

> Linux work good enough due to automated testing and amazing kernel
> engineers.

You definitely do not run much Linux on production, else you'd know how
amazing 2016 has been, regarding kernel vulnerabilities.

Some of them were even reliably exploitable on grsec/pax patched kernels.

> Microkernals are supposed to make OSes more stable but they don't.

Except most RTOSs and anything with high assurance requirements uses
microkernels.

> GNU Hurd, Mach 3

Hurd uses Mach, a pre-liedtke, old world microkernel. Not really worth
pointing at it, the same way 1971 UNIX isn't representative of Linux.

> Minix - so far track record isn't good.

Minix is doing quite well at what it set out to do: Fault-tolerance.

------
eugeneionesco
Not a single mention of grsecurity and RAP, useless article.

~~~
cyphar
Well, given the fact that the grsecurity folks violate the GPL, in not sure
what recognition they deserve other than "you can now get their feature in a
free software, mainline kernel".

~~~
eugeneionesco
Can you let me know exactly where I can get RAP?

You seems to be slandering grsec for no reason.

~~~
cyphar
> You seems to be slandering grsec for no reason.

It's not without reason, I don't like people abusing free software in the
manner the grsecurity people do it
([https://grsecurity.net/agree/agreement.php](https://grsecurity.net/agree/agreement.php)).
They license code under the GPL (because they have to) but then they
effectively tell their customers that exercising their right to redistribute
code will result in a termination of contract (which is at best against the
spirit of the GPL, and at worst illegal).

~~~
eugeneionesco
You obviously have no clue how GPL works. Everything is explained very well on
the agreement page.

~~~
cyphar
> You obviously have no clue how GPL works.

I disagree.

> Everything is explained very well on the agreement page.

Yes, it's very clear that they're attempting to subvert the GPL by coercing
customers into not exercising their freedom to redistribute (section 3, first
sentence). I can't find it now (all I could find is
[https://news.ycombinator.com/item?id=11808914](https://news.ycombinator.com/item?id=11808914))
but there was a thread about this issue earlier this year.

Essentially, in some people's view grsecurity is acting in bad faith which
means that they are violating the GPL (not the license text itself, but the
copyright law surrounding license agreements).

~~~
eugeneionesco
Exactly what I said, you don't understand how GPL works and you just slander
grsecurity for no reason.

Even you said they're not breaking GPL multiple times. What they're doing is
allowed.

