Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 4 Jul 2017 18:07:13 +0300
From: Igor Seletskiy <>
Subject: Re: linux-distros list membership application - CloudLinux

> On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote:
> > We typically have to patch local privilege escalations in kernel asap as
> > our customers are easily rooted using this type of vulnerabilities
> (anyone
> > can buy website or hack old wordpress instance & run any code).
> This may be a reason for you to harden your distro's userland against
> local privilege escalations as well, such as by adopting the
> owl-alt-sanitize-env glibc hardening patch maintained by ALT Linux:

Thank you, we will analyze it / test how well it works with 3rd party

> and getting rid of most or all world-accessible SUID programs, which is
> do-able like we have demonstrated with Owl.  This shouldn't be
> unreasonably hard to implement and maintain in a fork of RHEL, although
> obviously you'll end up with more packages (including some core ones)
> that would no longer be mere rebuilds of RHEL's.
All the web applications, end users ssh sessions and cron jobs are executed
namespaced / chrooted environment with no SUID files accessible already.
We cannot completely get rid of SUID scripts as they are used by 3rd party
software (like cPanel/Plesk) that is used on most of customer's servers.
It is not perfect, but the best we were able to do so far.

Thank you for the advise,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ