Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20091001144850.GA29943@openwall.com>
Date: Thu, 1 Oct 2009 18:48:50 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: Centos ohhhh Centos 1,2,3,4,5xx

On Thu, Oct 01, 2009 at 11:18:33AM -0300, gilberto alves wrote:
> In my opinion these very, very, very detailed email spend more time that 
> running same application in new environment centos 5xx?

Definitely.

> Here in Brazil quickly we adopted this new version and lots of 
> application running very ok.

Yes, but on a full-blown CentOS 5 install, not on Owl.  This mailing
list is about uses of Owl.

Owl may be preferred over CentOS for the "base system" for a variety of
reasons, including security.

Are you able to run a CentOS system with not a single SUID program (each
one of them poses a risk!), where users would nevertheless be able to
change their passwords, setup cron jobs, etc?  No, that's not possible
with CentOS alone.  However, it is possible with Owl, and it remains
possible with Owl plus a few CentOS packages (for specific components
needed on a given install but missing from Owl).  (As discussed, custom
builds for the missing components may work better, though.)

Then, suppose you have your SSH port available for connections by the
users (e.g., of your web hosting server).  Under CentOS 5, "sshd" is
linked against 25 libraries, many of which sound risky/scary to me.
Under Owl, this is reduced to 12 libraries, most of which are tiny and
relatively low risk.  I include the specific library lists below to
better illustrate my point.

That's just two examples.

CentOS 5:

[root@...t ~]# ldd /usr/sbin/sshd
        libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b53487e8000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00002b53489f1000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b5348bfc000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b5348e01000)
        libaudit.so.0 => /lib64/libaudit.so.0 (0x00002b5349019000)
        libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b534922d000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00002b5349576000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002b5349779000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b534998d000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b5349ba6000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b5349dda000)
        libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b5349fef000)
        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b534a21e000)
        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b534a4b0000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b534a6d5000)
        libnss3.so => /usr/lib64/libnss3.so (0x00002b534a8d8000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b534ab60000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b53485cd000)
        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b534aeb0000)
        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b534b0f7000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b534b2ff000)
        libplc4.so => /usr/lib64/libplc4.so (0x00002b534b502000)
        libplds4.so => /usr/lib64/libplds4.so (0x00002b534b707000)
        libnspr4.so => /usr/lib64/libnspr4.so (0x00002b534b90a000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b534bb44000)
[root@vz3 ~]# ldd /usr/sbin/sshd | wc -l
25

Owl:

host!root:~# ldd /usr/sbin/sshd
        libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002ab426de6000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00002ab426eef000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002ab426ffc000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00002ab4270ff000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002ab427203000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ab427317000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002ab42742d000)
        libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00002ab427579000)
        libpam_userpass.so.1 => /usr/lib64/libpam_userpass.so.1 (0x00002ab42767c000)
        libcrypto.so.5 => /lib64/libcrypto.so.5 (0x00002ab42777d000)
        libc.so.6 => /lib64/libc.so.6 (0x00002ab4279bd000)
        /lib64/ld-linux-x86-64.so.2 (0x00002ab426cd1000)

As you can see, the Owl list is much shorter (and the libraries are much
smaller).  No Kerberos, no SELinux, no audit - but seriously, do those
help improve security?  Hardly.  Not for most installs.  But they pose a
risk, a lot of it.

Now, why we're discussing Owl plus CentOS 4 packages rather than Owl
plus CentOS 5 packages?  Simple: unfortunately, Owl does not provide
sufficient compatibility for RHEL 5 / CentOS 5 packages yet.  In fact,
we're likely to "jump over" RHEL 5 userland compatibility, moving from
the current partial RHEL 4 compatibility to partial RHEL 6 / CentOS 6
compatibility (shortly after RHEL 6 release).

Alexander

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.