this post was submitted on 31 Oct 2024
53 points (98.2% liked)

Linux

48182 readers
1637 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] andyburke@fedia.io 16 points 2 weeks ago (3 children)

Why would anyone want to run unmainlined security patches from a company?

This is how CrowdStrike happened.

This feels like security via business decision which is always the opposite of security. At least this would be open source now? 🤷‍♂️

[–] ChiefSinner@lemm.ee 7 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

GrSecurity adds so many layers of protections to the kernel. They are literally decades ahead of the vanilla Linux kernel in terms of security. With all of the hardened GrSec settings checked/configured correctly, it stops the majority of 0 ring exploits (at least when I was running it before they went full GPLv2).

PaX is an awesome part of GrSec. Mprotect stops any read and write and execute access to memory in both user and kernel lands (only rx or wx). Stuff like web browsers won't work unless you have a program to mark it in elf to not use pax. However, this kills a lot of exploits with that turned on by itself (though there are probably work arounds if you are developing exploits which the other features would hopefully catch). That's why people installed 3rd party unmainlined security patches, but that's just me maybe idk.

I hope this venture will be more fruitful than the copy paste code that people kept trying to push to the hardened Linux kernel project (despite the maintainers best intentions and countless efforts to stop that)

[–] andyburke@fedia.io 2 points 2 weeks ago (1 children)

Mprotect stops any read and write and execute access to memory in both user and kernel lands (only rx or wx). Stuff like web browsers won't work unless you have a program to mark it in elf to not use pax. However, this kills a lot of exploits with that turned on by itself (though there are probably work arounds if you are developing exploits which the other features would hopefully catch). That's why people installed 3rd party unmainlined security patches, but that's just me maybe idk.

I am having a hard time following what this does or why this is desirable. You're saying there's a patch this thing provides that .. disables memory access ... unless a flag is set in an executable ... which will then bypass the security?

[–] ChiefSinner@lemm.ee 2 points 1 week ago

Yup. You can only add the nopax flag as root, so if your system is already hosed, not much else you can protect. Root has access to ring 0 so anything goes with access like that. Stuff like pax would slow them down for sure and stop script kiddies, but root access is root access.

No privileged accounts can't do anything with the nopax flag. That's why you should configure your system to not run things as root as much as possible. Personally; on desktops, I don't even use a sudoer natively. I have to su into my sudoer account in order to run root commands.