[rsbac] RSBAC & Molnar Ingo's ExecShield
Michal Purzynski
albeiro at zeus.polsl.gliwice.pl
Tue Dec 7 13:03:06 CET 2004
On Tue, 7 Dec 2004, Deim Agoston wrote:
> Oh, yes but if you work with RH Enterpise versions - I suspect you do so
i am quite happy person using Gentoo Hardened and Adamantix in produciton
- but that was where i could decide.
> If our partner says he need some kind of security
> and read something about SELinux and ExecShield in the leaflets from
> RH than I have to use ExecShield and SELinux. And if I have to use
> execshield I don't want to duplicate my efforts so I would stay with
> it with the RSBAC patched of kernels if it's released more often and the
> partners need some kind of memory protection along with 2.6.x kernel.
> Again: money talks. The engineer can advise but he doesn't decide.....
> Ok, it has the advantege that you don't have to provide any
> responsibility and you can write it down in your contract. </lament>
yes i see how difficult situation you have. redhat makes money and
"security" they included is only for marketing. because implementing PaX
and some other MAC systems would need much effort from they engineers they
gone easy way writing they own solution - easy to use but not necesesary
secure. and now they can write that "we already have memory protection
and access control", go with us. definitely they are only about making
money.
oh, btw - try to run some suid app with LD_DEBUG=all -> most easy way to
get necesary offsets needed to exploit application. while this is clear
security flaw (glibc information leaking) they always refused to patch it,
even beeing offered patches. and this is only one of many problems with
redhat.
ok, but since you do have to use it - i see no problem, it should work,
you may have to patch it a bit by hand (do not know how much of
execshield gone into mainstream kernels).
Albeiro
More information about the rsbac
mailing list