Re: thoughts on kernel security issues

[Arjan van de Ven]

On Thu, 2005-01-13 at 08:38 -0800, Linus Torvalds wrote:
> 
> NOTE! I'd personally hate some of the security things. For example, I
> think the "randomize code addresses" is absolutely horrible, just
> because
> of the startup overhead it implies (specifically no pre-linking). I
> also
> immensely dislike exec-shield because of the segment games it plays -
> I
> think it makes sense in the short run but not in the long run, so I
> much
> prefer that one as a "vendor feature", not as a "core feature". 

I think you are somewhat misguided on these: the randomisation done in
FC does NOT prohibit prelink for working, with the exception of special
PIE binaries. Does this destroy the randomisation? No: prelink *itself*
randomizes the addresses when creating it's prelink database (which is
in fedora once every two weeks with a daily incremental run inbetween;
the bi-weekly run is needed anyway to properly deal with new and updated
software, the daily runs are stopgapping only). This makes all *systems*
different, even though runs of the same app on the same machine right
after eachother are the same for the library addresses only.
That does not destroy the value of randomisation; it limits it slightly,
since this ONLY matters for libraries, not for the stack or heap and the
other things that get randomized. 

As for the segment limits (you call them execshield, but execshield is
actually a whole bunch of stuff that happens to include segment limits;
a bit like tree and forrest ;) yes they probably should remain a vendor
feature, no argument about that.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/