Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Jul 2017 14:31:27 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list membership application - CloudLinux

I've just added CloudLinux to linux-distros.  Some comments below:

On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote:
> We typically have to patch local privilege escalations in kernel asap as
> our customers are easily rooted using this type of vulnerabilities (anyone
> can buy website or hack old wordpress instance & run any code).

This may be a reason for you to harden your distro's userland against
local privilege escalations as well, such as by adopting the
owl-alt-sanitize-env glibc hardening patch maintained by ALT Linux:

http://git.altlinux.org/gears/g/..git?p=glibc.git;a=commitdiff;h=496059f2

and getting rid of most or all world-accessible SUID programs, which is
do-able like we have demonstrated with Owl.  This shouldn't be
unreasonably hard to implement and maintain in a fork of RHEL, although
obviously you'll end up with more packages (including some core ones)
that would no longer be mere rebuilds of RHEL's.

This is by no means a condition for your linux-distros list membership -
I just happen to mention it here in response to your explanation of your
distro's threat model.  If you do go this route, it will re-enforce your
reasoning for being a linux-distros member, though.

> Some records:
> The stack clash (Jun 21, 2016):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/cve-2017-1000364-fixed-for-cloudlinux-7
> Dirty Cow (Oct 21rd, 2016):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-dirty-cow-issue-fixed
> Ghost (Jan 27, 2015):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/glibc-ghost-remote-vulnerability-cve-2015-0235

You got impressive timing on these!

> Please, find PGP related info
> 
> Leonid Kanter <lkanter@...udlinux.com>
> 
> GPG Key: 0x400296079AE5954F (download
> <https://cryptup.org/pub/lkanter@cloudlinux.com>)
> GPG Fingerprint: A07D AA47 48B2 C445 6A44  9B38 4002 9607 9AE5 954F
> 
> Igor Seletskiy <i@...udlinux.com>
> 
> GPG Key: 0xCD7BB36D66B77E0D (download
> <https://cryptup.org/pub/i@cloudlinux.com>)
> 
> GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D
> 
> Konstantin Olshanov <kolshanov@...udlinux.com>
> GPG Key: 0x891E1FDBF34ED0FD (download
> <https://cryptup.org/pub/kolshanov@cloudlinux.com>)
> GPG Fingerprint: B502 0D7C BB2C 674C 6387  FBDC 891E 1FDB F34E D0FD

I subscribed only Leonid and Igor so far, since Konstantin's key doesn't
appear to be available at that URL (I am getting "No Public Key found
for kolshanov@...udlinux.com").  As a minor annoyance, these URLs appear
to require JavaScript.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.