Re: [gentoo-dev] Stack smash protected daemons

[Jason Wever <weeve@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 5428 bytes --]

On Sat, 25 Sep 2004 19:26:26 +0200
Bart Lauwers <blauwers@gentoo.org> wrote:

> Having read the whole thread here are some I feel important points to be
> made: 1) Safety is important, it should be our aim to have our default
> system as secure as it possibly could be. Just look at the reviews some
> OS providers get over security. A good computer system should be
> protected against bad code as much as possible.

Then shut it off, unplug it from the wall, permanently erase all data and
then eject the physical components into the sun.  Otherwise you will
always be at some form of security risk, know or unknown.

Also make sure you don't get the Operating System confused with the extra
software provided.  99% of all software on your installation is not part
of the Operating System.  If you plan on making Gentoo accountable for
that, I hope you have an army of developers waiting in the wings.

> 2) The risk is real and errors against this seem common.

Sure, there is risk in almost everything too.  However just because
driving an automobile can be dangerous doesn't mean I'll buy a tank or
stay inside just to feel safe. 

> 3) A good  housefather does not leave the front door of any home open at
>
> night.

See reply to 1.

> 4) Protection is possible/available (to a degree) at system level.
> 5) most people prefer to know they can have a reasonable trust in their 
> computer system to operate reliably and consistently by default

Doesn't this exist already?  if people didn't trust Gentoo then why are
they using it?  We can't be held ultimately responsible for software we
didn't write.  If you can knock over service foo-1.2.3 on Gentoo, chances
are you can knock it over on another Linux or possibly any other platform
it runs on either.
 
> Here are some of the things not to like about what is proposed so far:
> 1) Adjusting all ebuilds (not very productive, only adds clutter to
> ebuilds) 2) Making new features, use flags whatever (same idea)
> 3) Not doing anything would not be very responsible

Are we in the insurance business or are we in the Linux distribution
business?  Maybe I'm way out in left field here but I'm not holding Gentoo
responsible for software they didn't write.  

> What I propose to do (pick the low hanging fruit):
> 1) Add stack protector and and any similar 'features' stable in hardened
> to the default CLFAGS of the gentoo install/profiles. By stable I mean
> things which do not break the majority of functionality.

Feel free to take on the ownership of making this work on every arch's
toolchain then.  Also feel free to deal with all upstream authors who
start instantly dismissing any bugs from Gentoo due to the fact that the
toolchain is quite modified to accomplish this task.  Take the current
stance the GAIM team has with us as an example of what would be to come.

> 2) broken ebuilds can filter-flags until fixed (better approach since
> you are only fixing up ebuilds for broken stuff and may also prompt the
> devs to try and make the protection work).

The protection itself is a work-around to the original problem.  You want
to continue to work around the problem even more?

> 3) People who prefer not to be protected can remove the settings from
> their CFLAGS

Personally, I don't think opting out is the way to do this.  Having CFLAGS
that are in by default that may or may not work across all architectures
is not a good thing.

> 4) get stuff virus, spam, etc protection functional and leveraged into
> the defaults in other words turn on those USE flags in the standard
> profiles

No thanks.  I don't want to have to spend the first 24 hours or so of
using my new"trusted" operating system opting out of all of the overly
paranoid defaults.  If I'm looking for a high level of security out of the
box, I'll use hardened or OpenBSD.

> A personal opinion:
> Anyone who thinks that a speed tradeoff is too much for better
> protection is crazy. Do us all a favor and play a go night of russian
> roulette by yourself to get your thrills.

OK seriously, this kind of comment isn't needed.  I'm not sure what you
hoped to have accomplished by it, but I'm fairly sure it didn't work.

As anyone who has spent 5 minutes in the security world knows, there's a
fine line between good security and paranoia.  You can lock your system
down to high heaven and be sure that people won't get into it, but then
you won't be able to do a damn thing either.  What good is that?

Right now I have a choice to use these features if I want to.  I don't
have to "opt-out" and I would rather keep it that way.  The support
nightmare this will create is not worth the potential advantages.  

> There's more to be said on security but I feel too lazy right now to
> type it so if this isn't convinving you let us know.

And as this list has shown historically, we can all argue security to high
heaven with each party feeling they have the right answer and never
accomplish anything.

Now please don't get me wrong.  As someone who's day job is in the
security field, I very much like and appreciate the efforts that have gone
into making secure toolchains and hardened systems a reality in Gentoo. 
In some cases I do use them as well.

However, I do not believe it is our place nor our job to make that choice
for our users.  You cannot protect people from themselves, regardless of
the perceived benefits.

Regards,
-- 
Jason Wever
Gentoo/Sparc Team Co-Lead

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]