Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 May 2018 10:01:30 +0200
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: owl-users@...ts.openwall.com
Subject: Re: Owl update

2018-05-24 22:21 GMT+02:00 Solar Designer <solar@...nwall.com>:
> Hi,
>
> As some of you are aware, our Openwall GNU/*/Linux (Owl) project has
> been on hold for a long while now, with its future unclear:
>
> http://www.openwall.com/lists/owl-users/2014/12/30/1
>

First of all, I thank you and the Openwall team for all these years of
your work. And yes, Owl's development has been stuck for several years
and its future seems unclear.

Let's start from the beginning. Why did you start Owl? I remember an
interview with you (2002 or 2003). You said you started the Openwall
project because every time you set a new server, you had to spend a
lot of time to secure it. Owl was supposed to be secure out of box.
During all these years, a very unique and secure userland was built as
part of the Openwall project. The knowledge and experience that
Openwall brings is even more valuable ("bringing security into open
environments"). But can other Linux distributions be able to use Owl's
experience? I do not think so. Even if they try, sooner or later they
spoil everything by adding more suid files. Owl's userland is
therefore very unique.

Regarding to Owl's future. Currently, thanks to your cooperation with
Salvatore Mesoraca[1], more and more solutions developed for the Owl's
kernel begin to go to linux. I wonder if it would be sensible to use
Owl userland also on other kernels. This would allow better use of the
new hardware (eg. CPU's, amr64).

In the past Owl was to be based on the RSBAC[2] kernel. RSBAC still
exists, being developed on new kernels (4.14). But I'm afraid,
however, that it may be difficult for them to survive.

SELinux is great, but unfortunately difficult to configure. AppArmor
on the other hand is easy to use and it is more an extension of the
DAC model, on which Owl heavily relies (eg. tcb, crontab).

What do you think about the idea to use Owl userland on newer kernels?
And which one (RSBAC, SELinux, AppArmor) in your opinion is the most
suited to using with Owl userland? I'm interested in which solution
you would use for yourself with Owl userland.

[1] http://www.openwall.com/lists/kernel-hardening/2017/11/22/4
[2] https://www.rsbac.org/

Thanks again,
Daniel

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.