> > We do not need a "security" section in kernel which will be nothing
> > more than violation of standards and bloating the kernel source.
> > This thread is not really a kernel issue, and should be solved from
> > user space!
And Albert D. Cahalan responds:
> As for fixing scripts... Sure, people have known that for 28 years.
> One might assume all security holes would be fixed by now. :-)
>
> I happen to find this extreme conservatism disturbing. Solaris has
> beaten Linux to the stack-exec fix, even though the Linux patch was
> available long ago! I'd say they took the Linux idea and just used it.
> Innovation must die, right? This is sick.
I totally agree! (Yes, this is a me-too posting)
Given the number of first-time admins using Linux, given the number of
part-time admins using Linux and given the large amount of documentation any
hacker has when trying to break into a Linux system, the linux kernel should
provide as much security features as possible to those who can use it.
Of course, it is true that every experienced(tm) system administrator knows
exactly what to do to maintain a secure system. Obviously not every
administrator qualifies as such since systems are getting hacked every day.
It is also true that 95% of the hacks use only a small amount of 'features'
of a Unix system. Among these features are stack-execution, hard- and
softlinks and suid-stuff. Restricting the use of these features decreases
their value for hacking purposes and improves overall system security.
It is the same as using shadow-passwords. You combine restricted access to
the password file with encryption of the passwords. In theory, each of these
two methods is secure on its own. Nonetheless, a sensible admin uses both.
In a perfect world there would be no hackers and all admins would know
exactly what they were doing. Since neither of that is true for the world we
live in, the Linux kernel can use any additional security option available.
(Configurable of course)
Waldo Bastian