Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Jul 2017 14:31:27 +0200
From: Solar Designer <>
Subject: Re: linux-distros list membership application - CloudLinux

I've just added CloudLinux to linux-distros.  Some comments below:

On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote:
> We typically have to patch local privilege escalations in kernel asap as
> our customers are easily rooted using this type of vulnerabilities (anyone
> can buy website or hack old wordpress instance & run any code).

This may be a reason for you to harden your distro's userland against
local privilege escalations as well, such as by adopting the
owl-alt-sanitize-env glibc hardening patch maintained by ALT Linux:;a=commitdiff;h=496059f2

and getting rid of most or all world-accessible SUID programs, which is
do-able like we have demonstrated with Owl.  This shouldn't be
unreasonably hard to implement and maintain in a fork of RHEL, although
obviously you'll end up with more packages (including some core ones)
that would no longer be mere rebuilds of RHEL's.

This is by no means a condition for your linux-distros list membership -
I just happen to mention it here in response to your explanation of your
distro's threat model.  If you do go this route, it will re-enforce your
reasoning for being a linux-distros member, though.

> Some records:
> The stack clash (Jun 21, 2016):
> Dirty Cow (Oct 21rd, 2016):
> Ghost (Jan 27, 2015):

You got impressive timing on these!

> Please, find PGP related info
> Leonid Kanter <>
> GPG Key: 0x400296079AE5954F (download
> <>)
> GPG Fingerprint: A07D AA47 48B2 C445 6A44  9B38 4002 9607 9AE5 954F
> Igor Seletskiy <>
> GPG Key: 0xCD7BB36D66B77E0D (download
> <>)
> GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D
> Konstantin Olshanov <>
> GPG Key: 0x891E1FDBF34ED0FD (download
> <>)
> GPG Fingerprint: B502 0D7C BB2C 674C 6387  FBDC 891E 1FDB F34E D0FD

I subscribed only Leonid and Igor so far, since Konstantin's key doesn't
appear to be available at that URL (I am getting "No Public Key found
for").  As a minor annoyance, these URLs appear
to require JavaScript.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ