Re: sick of Linux bias
From: Steve (steve_at_no-email-please.net)
Date: 01/13/04
- Next message: Mike: "Re: Opening Ports on Norton 2002"
- Previous message: sponge: "Re: Sygate Personal Free Install"
- In reply to: Hairy One Kenobi: "Re: sick of Linux bias"
- Next in thread: Hairy One Kenobi: "Re: sick of Linux bias"
- Reply: Hairy One Kenobi: "Re: sick of Linux bias"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Jan 2004 23:20:27 GMT
Hairy One Kenobi wrote:
> "Steve" <steve@no-email-please.net> wrote in message
> news:sskMb.61484$IF6.1356048@ursa-nb00s0.nbnet.nb.ca...
>
>
>><classic pointless rant>
>
>
> <classic poinless response>
>
> ;o)
>
>
>>The Bottom Line here, is that Linux is not by any means free of its own
>>problems. However, the reason why you get such a bias towards linux even
>>when some linux servers can be rooted just as easily as windows ones, is
>>that those servers that are being rooted _can_ be fixed. And if you
>>have a knowledgeable sys-admin, the boxes will not get rooted.
>>
>>The rationale behind this assertion is that the exploits found for
>>linux, are almost exclusivly userland exploitations. While in windows,
>>while we see a number of "userland" exploitations (with windows its hard
>>to really say userland, because ther _is_ no real privlage seperation,
>>but for these purposes we can take userland to indicate not a part of
>>the core windows operating system), we see an almost equal number of
>>operating system, or "kerneland" exploitations.
>
>
> This is probably where our view diverge - *nix has a simple on/off approach
> to privilege. Windows has a mass to choose from - a lot of programmers seem
> (sometimes wilfully!) to misunderstand this and drag us back to
> CP/M^H^H^H^HDOS, but that doesn't necessarily make them "bad".
As a former Microsoft Programer, and have tibits of windows longhorn
source code, and the one of the alphas on my desk right now, I Can tel
you this is not true.
While microsoft does attempt to represent to the user, and without know
vast amount of C, or assempler, or fully understaning the dissemnation
of the operating system, you would be none the wiser. However, the
problem is with Microsoft's claim that they indeed DO have privlage
seperation, and not only that, have varing degrees of privlage
seperation is just wrong. The reason why its wrong, is because there is
no real kernel land and user land for applicaitons. Everything ultimatly
runs with administrator privlages in the final execution. Moreover, the
hap hazard design of the underlying kernel has lead to userland and
kernel land becoming intertwined. So since in almost every single case
your "userland" program is going to have hooks right down into the
kernel. For those of you who don't really understand kernel and user
seperation, runnng with a hook in the kernel may be shown by windows as
running as your user, it may deny you access to another users files when
you try a conventional read. However, if you write a C program, or an
assembler program, you have full access to those hooks, and can run
right inside kernel space. Which is the equivilant of running with
System privlages. Indeed that is why when we something like DCOM get
exploited, a simple long filename gets you SYSTEM privlages.
Moreover, any binary on a windows box can overflow its stack and volia,
its in kernel space if the overflow is crafted correctly. Moreover,
every windows box is compiled with the same procedure, with the same
offsets, and the same base addresses at the factory. Which makes
mass-explotiation possible.
Now in many cases with linux, for example with RPMS on redhat, yes you
are dealing with binarys, however, by the nature of opensource, you
could just as easily, if you were concerned about buffer overflows,
compile your entire system from scratch. Indeed, there are entire Linux
distros built around this. For example, gentoo. The box i am sitting on
is a gentoo box and every single binary on this machine has been
compiled on this machine, and is compiled specfically for my proccessor.
The binarys on this machine will not work on a PII, or a PIII, only on
an athlon-xp or higher chip.
What htis means, is that if you want to 0day me with a stack smash, you
cant. You need to figure my base addresses first. Indeed, the openssh
exploit that was found over the summer, someone DID try that agianst me,
before i was patched. It just didnt work. It did succsed in crashing my
SSH dameon. However, because the base memory was not the same, the
amount of overflowing that had to happen to get ot the memory address
that was needed to bind a shell to a port was different, and thus while
the overflow occured, the instructions that needed to be pushed onto the
stack never made it there.
Moreover, with a grsecurity patch, I can make EVERY memory allocation
start from a random base, IN ADDITION to the random offsets with
compilation. Therefore, if you try to overflow a dameon in userland, you
have a (2^32)^32 chance of being at the correct address to start
injecting into the stack with the amount that you need to inject into
the stack. the first 2^32 because the offsets are random, because of
compilaiton with different GCC options. Therefore, you can be starting
from anyweres in memory, which is 2^32. Now on top of this, you now have
a grsecurty patch in the kernel makeing an additional randomization of
your static (but random because no one can know for sure what the base
offsets are if you are using wonky GCC options) bases, and that happenes
everytime you malllc(). Wich adds the other ^32 to the initial 32 bit
max that you started out with.
Moreover, the kernel has a specic portion of memory. The only way a
proccess can get into that memory is if it is running uid=0. If it isnt,
it gets a seg-v from the OS. therefore, the explotation that can happen
at the kernel level, must happen in a proccess running as root. Now,
while many damons do run as root, simply to privlaged ports 0 - 1024, a
simple fork() after the coonection is recived fires off a new proccess
running with UID= whatever you specify in your configuration. But as an
uprivlaged user. For example. My ftp service, runs as root. Until you
bind to 22, then it forks off to a user called proftp. That user can not
write anyweres on the filesystem. Nor can they log into the system. Once
the user authenticates agianst PAM, there is a fork() off as the user
they authenticated as. So if they comprimise the damon, they can never
do any real damage. And in order to do anything, there would have to be
a remote root in the way TCP is implemented in the kernel (Which I have
never seen, nor do I know anyone since the inception of linux who has
seen this) or in PAM. And pam is so heavily auditied, that we rarley
find privlage escaltion problems in it. In fact, I cant think of any in
PAM in the last 3 years (I could be wrong there).
THIS is real privalge escilation. There is no kernel hook to break, and
your not running in memory that the kernel can use. Therefore, you dont
get root simply by overflowing any binary on the system.
Now, mind you what I have decribed requires alot of devlopment and OS
expereince to know how to do. Indeed, you can very easily set up a
vulnerable linux box. And many admins who dont know linux well do just
that. However, the point here is, if you bring in a consultant (like me
:D ) who is very knowledgeable (or has access to very knowledgeable
people :) ) you have the OPTION to do much more. However, the security
of a given linux box is DIRECTLY proportional to who is adminning it,
and who set it up, and who has root on it.
With windows, we dont have that option. When the openSSH remote root
shell came out, I already had other layers of security in place to allow
me to use openSSH but not be sucptable to that remote root. (ie random
offsets, random mallc()s) Therefore, when that vulnerability came out.
(and it was 2 AM when my phone started ringing, because lets face it,
openSSH IS the trumpcard) I was able to say "I'll upgrade it in the
morning" and go back to sleep. Because I knew that it was a stack smash,
and that my gentoo boxes, even before they were patched, were not
sucptable to this.
However, most linux boxes were a rmp installed openSSH was running, and
there was no GRsecurity patch in the kernel WERE sucptable. They didnt
have to be, but they were. The point is, I CAN implement layers of
security on linux.
However, when the msRPC exploit came out, while all my networks drop RPC
at the border, internally, I had to put clothes on when i got the call
(which fortunatly was only 7PM :) ) and go around running windows update.
Ok, the point to that seemingly endless rant, while linux CAN be
insecure, and in many cases IS by default, if you have the apprpriate
admin, it can be very secure. But you have the option. With windows,
there realy is nothing you can do.
>
> As you rightly point out - most Windows boxes are setup in the *nix
> all/nothing model. More a problem with the admins than the system. VMS'
> SETPRV and auditing beats both of them hands-down (shame about things like
> UCX, though..)
>
>
>>Moreover, without an /etc directory in plain text, we have a registry,
>>wich is another way to do it, but the problem is its a propritary
>>binary, so we never really know all of whats in it, and instad of a real
>>system logger like /var/log we have even manager, which agian is anohter
>>propiotary approach.
>>
>>This amounts to tracking down problems on windows to thier root to be
>>much more difficult than with linux, the reason being that in linux its
>>plain text, you can _read_ the physical settings being read into the
>>damoens (pardon my spelling), in windows, you have to root thru keys,
>>and propitary editors to get the info that in linux would have been
>>gotten from cat. Moreover, its easier to extract and sort information
>>out of the ascii in /var/log than to get event viewier in windows to
>>figure out what the hell is happening.
>
>
> Hmm. While I'd agree that Event Viewer was probably written by Satan on a
> rainy Sunday afternoon, I can't agree that hunting down configuration files
> is a useful use of /my/ time. As I'm sure you'll recall, WIndows 3 took that
> approach. Not especially brilliant..
Cant argue with that :) However, I think you misunderstood the way linux
does the config files. In general, the config files are in /etc/<name of
package>/ . While there are exceptions to this, the fact remains, that
the location of those files, is mostly standard, and it its not
standard, can simply be found in the documentaiton. Which you are
probably reading anyways if you are configuring the software. Moreover,
they are in ascii text. Therefore, they can be opened with just about
anything. Moreover, they can be done over slow connctions via a
text-console. moreover, its easier to search thru them if your looking
for a specific variable. For example, if I am looking for all the
seetings of CFLAGS, I can do a search of over all config files at once.
In any posix operating system (which almost all *inxs are, well outside
of IBM AIX, but that is the unix equivilent of hell) you can just type
grep CFLAGS= -i /etc/* , and you can search the configuration files for
every single pice of software on your machine with that one command.
The windows 3 approach was not reflect of the unix way of doing things :)
>
> A better argument would be the use of specific users to run specific
> services (as Windows does - to a limited extent - with IIS). It's also what
> a number of large Real World(tm) users do via security policy.
>
>
>>None of this negates the overriding fact that your network is really
>>only as secure as the administrator running it, however, for a
>>knowledgeable administrator, you can do more with linux, much more. And
>>knowledgeable admin who has used both will tell you that. Of course
>>people can say they know 50 linux boxes that got rooted, they probably
>>have 50 mcse friends who tried to run a linux server and were running a
>>vunerale version of ssh, or running a 2.4.0 kernel or some other
>>horribly outdated userland dameon. So of course they got rooted.
>
>
> Both platforms require updates.. and both platforms have a way to go on that
> one. On the one hand, we have (often unnecessary) Windows reboots, on the
> other a process that would appear to be moderately painful.
This is true, but as I outlined above, you can use other "layers" of
security, if you have the appropriate admin, to delay updating (altho
its generally a good idea) if oyu need too. (like if it is 2 AM :) )
Moreover, the only time you really need to reboot is when you install a
new kernel. All the other times, since there is a clear kerneland, and
userland, and userlad uses kerneland to reallc(), I can rebuild my
entire box (and I have when i need to add new gcc options like proPolice
onto all my binarys) and not have to reboot. Indeed, my IMAP box is
running kernel 2.4.22 and has been up for close to 4 months now without
reboot. (power company is good around here about lack of power outages :) ).
>
> The reason I say that a lot of reboots are probably unnecessary is that most
> seem to make assumptions about DLLs that could be hanging around in memory
> (wouldn't it be nice if they dropped out when they weren't being used, or
> had a specific unload utility? Everyone else seems to manage to do /that/
> one..)
This is true, however, if you run windows update, and a DLL gets
updated, windows update can't shut down the processes useing that DLL
most of the time, therefore you have to reboot since in Windows, you
can't delete a file, or replace it if its in use (mainly because NTFS is
broken :) )
>
> As goes my other point - if online updating were so straightforward, why did
> 100% of my Red Har Network updates fail? And why the *%@& did they fail
> /silently/? OK, so I was able to apply the updates manually, but that's not
> the point - having to roll that out to a large bunch of machines is
> s-o-o-o-o-o 1980s ;o)
Redhat is a general pain in the ass I find, however, you can find perl
scripts out there, I have some that I use for people who _insist_ on
redhat (for alot of them I just lie and install gentoo :) ) that will
get the rpm, verify the signature, and install it, and if it fails, try
it agian using a different method (depending on the error) and if it
fails, email you.
There are _better_ distros, for example, Gentoo :), which have the
loveley feature of portage. Were there are ebuild files. These files
contain a bash like script to configure, install and clean out the old
version of the package, moreover, it figures all the dependecies for a
package and instals them before it installs the package (well before it
starts compiling the package). Moreover, using USE flags in a global
conf file, you can chose the functionality you want for each package
(ie, build with kde stuff in it, build with support for XMMS, or SSE or
NVIDIA, or whatever you need) and when a package is installed, the
appropriate USE flags are picked out and the appropriate patches are
applied. Moreover, there are CFLAGS that can be set for compiliation,
so you can set sickingly fast optimizations in there, and have
everything comipled with those settings. Even better, if your CFLAGS are
to agressive for a package (like for glibC) they get tonned down to safe
flags. moreover, all the configuring for compile, all the installation
of the compiled binarys, and cleaning of previous versions and keeping
tack of which versino is now installed is done by a python program
called portage. now when i want to update my system, i type one command
emerege rsync & emerge update world; and my system is updated. Hashing
is used to ensure there are no problems with the source, and the source
is downloaded from trusted mirrors. Now I put this in my cronttab, have
it run every morning, and grep the output for newly merged packages and
unmerged packages, and the output gets mailed to me. So every day i get
a report from my system about what was uninstalled, and what was updated
and what the new version is. I dont even have to read these mails,
because portage keeps track of it for me. I just read them to know whats
going on. If I want to install a new portage its emerge <package name>
and its done, and its now in the database, so it is monitored for
updates every night when my cron job runs. I also put this on prodction
servers. Now, I manage about 30 machines for clients and for my own
personal use and for friends. All those machines are in peak runtimes (I
benchmark them every once and a while) and they are running the latest
version of everything that is installed. Heres the kicker, I havent
updated any of the pakcages personally in over 5 months.
Redhat, debian have similar systems (ie apt-get) but currently gentoo is
the most extensive, and works the best.
So as you can see, agian, if you have a knowledgeable admin, upgrading
becomes quite easy, and management quickly becomes a script.
(To be fair to you, when were running your updates, many of these things
may not have been around. However, if you stil are looking at this
problem as a sys admin, google it, or try apt-get, and apt-update, or
just try gentoo, will make your life eons easier. I still rember rpm
hell....twas a dark time in my life as a linux user...)
And rolling out the patches for unix boxes is sooooo 1980's or sooooo
Windows :)
>
>
>>Notwitstanding the above arguements, just look at the sheer number of
>>remote kernel roots and compare that number of exploits found in a
>>single version of windows. Then compare the flexibility of a given
>>version of linux (in fact there is so much flexibility there really isnt
>>a stable versioniong convention) and compare it to windows XP, or
>>windows longhorn (which by the way, for all the DOE effects in the Alpha
>>copy sitting in front of me, rips of unix even MORE than XP!)
>>
>>And finally, at the end of the day, the guts of the internet run *inx,
>>not windows.
>
>
> Spell it *nix, and I'll agree with you ;o)
ok...*inux...but to be fair, IBM AIX counts as crap, solaris is
psdo-crap, and SCO has relquished thier right to call themselves a *inx :)
>
> (Not sure whether that was a typo or a Linux reference)
>
> H1K
>
>
steve
- Next message: Mike: "Re: Opening Ports on Norton 2002"
- Previous message: sponge: "Re: Sygate Personal Free Install"
- In reply to: Hairy One Kenobi: "Re: sick of Linux bias"
- Next in thread: Hairy One Kenobi: "Re: sick of Linux bias"
- Reply: Hairy One Kenobi: "Re: sick of Linux bias"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
