Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 10 Mar 2011 00:20:22 +0100
From: Piotr Meyer <aniou@...tek.pl>
To: owl-dev@...ts.openwall.com
Subject: Re: VLANs in Owl way?

On Wed, Mar 09, 2011 at 11:43:16PM +0300, Vasiliy Kulikov wrote:
 
> On Mon, Mar 07, 2011 at 09:18 +0100, Piotr Meyer wrote:
> > only 'is_available' needs some 
> > work (can we rely on  sysfs on /sys presence?).
> 
> That's an open issue :-)  There is some danger in mounting /sys by
> default.  Permissions of some sysfs files were too restricted not long
> ago:

That version was taken from Fedora 14. Older implementations (RHEL4 and 5) 
don't relies on sysfs:

http://pastebin.com/DYBU9KXB  (RHEL4.4)
http://pastebin.com/BcFAujTy  (RHEL5.5)

BTW about is_available() function: from my point of view this function
does too much: not only checks availability of device, but also loads
firmware/modules for physical devices and renames them, if necessary. 

IMVHO is_available() should be limited to lines 1-17 (and, maybe 22-28
but without renaming) of RHEL5 version. Mixing "checking" and "doing" 
in one place isn't good and admin should create necessary devices
without "magic" scripts.
 
> One little problem with the script is that it uses "ip link add type
> vlan", it is not supported by our old iproute ;)  

This isn't necessary, I hope: older version uses simply vconfig to
creating vlans: http://pastebin.com/GGJR8W30 (from RHEL5.5).

> We're planning to
> upgrade iproute after toolchain upgrade.

With gcc4? I played a little in NetBSD with things like ASLR or gcc stack 
smashing protections and I'm curious what Owl can do with this. Yes, I'm
aware about performance drop but there are many "fast" distros and I want 
secure one. 

PS: Handy table for current RHEL's features:
    http://www.awe.com/mark/blog/20101130.html

-- 
Piotr 'aniou' Meyer

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.