Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 4 Jul 2017 14:31:27 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list membership application - CloudLinux

I've just added CloudLinux to linux-distros.  Some comments below:

On Sun, Jul 02, 2017 at 05:29:25PM +0300, Igor Seletskiy wrote:
> We typically have to patch local privilege escalations in kernel asap as
> our customers are easily rooted using this type of vulnerabilities (anyone
> can buy website or hack old wordpress instance & run any code).

This may be a reason for you to harden your distro's userland against
local privilege escalations as well, such as by adopting the
owl-alt-sanitize-env glibc hardening patch maintained by ALT Linux:

http://git.altlinux.org/gears/g/..git?p=glibc.git;a=commitdiff;h=496059f2

and getting rid of most or all world-accessible SUID programs, which is
do-able like we have demonstrated with Owl.  This shouldn't be
unreasonably hard to implement and maintain in a fork of RHEL, although
obviously you'll end up with more packages (including some core ones)
that would no longer be mere rebuilds of RHEL's.

This is by no means a condition for your linux-distros list membership -
I just happen to mention it here in response to your explanation of your
distro's threat model.  If you do go this route, it will re-enforce your
reasoning for being a linux-distros member, though.

> Some records:
> The stack clash (Jun 21, 2016):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/cve-2017-1000364-fixed-for-cloudlinux-7
> Dirty Cow (Oct 21rd, 2016):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-6-kernel-updated-dirty-cow-issue-fixed
> Ghost (Jan 27, 2015):
> https://www.cloudlinux.com/cloudlinux-os-blog/entry/glibc-ghost-remote-vulnerability-cve-2015-0235

You got impressive timing on these!

> Please, find PGP related info
> 
> Leonid Kanter <lkanter@...udlinux.com>
> 
> GPG Key: 0x400296079AE5954F (download
> <https://cryptup.org/pub/lkanter@cloudlinux.com>)
> GPG Fingerprint: A07D AA47 48B2 C445 6A44  9B38 4002 9607 9AE5 954F
> 
> Igor Seletskiy <i@...udlinux.com>
> 
> GPG Key: 0xCD7BB36D66B77E0D (download
> <https://cryptup.org/pub/i@cloudlinux.com>)
> 
> GPG Fingerprint: 7FE3 681A DCBC C509 A2FF 77A4 CD7B B36D 66B7 7E0D
> 
> Konstantin Olshanov <kolshanov@...udlinux.com>
> GPG Key: 0x891E1FDBF34ED0FD (download
> <https://cryptup.org/pub/kolshanov@cloudlinux.com>)
> GPG Fingerprint: B502 0D7C BB2C 674C 6387  FBDC 891E 1FDB F34E D0FD

I subscribed only Leonid and Igor so far, since Konstantin's key doesn't
appear to be available at that URL (I am getting "No Public Key found
for kolshanov@...udlinux.com").  As a minor annoyance, these URLs appear
to require JavaScript.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.