Discussion:
libsafe and Debian installation
Shaya Potter
2002-04-22 16:32:54 UTC
Permalink
Debian provides a nice little library called libsafe. While libsafe
isn't perfect, it does provide a real measurable level of security
against buffer overflow attacks. It's also very easy to install (all
one does is install the package and put the library in
/etc/ld.so.preload)

Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)

There are probably some other packages that also provide some real
security, in a very easy to do manner that we should give users the
option of using. Just having the package available doesn't make users
aware of it.

wondering what other people think,

shaya
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Sean Middleditch
2002-04-22 16:42:30 UTC
Permalink
I'd disagree that on a couple of points...

1) If we start asking questions like that, we could make arguments for
asking the user specifically if they want all sorts of other "useful
utilities" installed, to the point where we have 500 questions after
having already selected the packages to install.

2) I don't agree with trying to make a distro do the work of programmers
writing secure software. If the software installed is buggy enough to
really need the extra security of libsafe, it should be patched or
removed from Debian. Otherwise, we end up with a lot of people just
depending on libsafe, or programming students simply expecting certain
bugs not to matter on GNU/Linux, since Debian protects against it with
libsafe.

I can fully understand putting this in the install docs. For example,
in a "Securing your Debian Installation" section or such - if the user
cares about security, they'll read that, see the information on libsafe,
and hopefully a very full description (more than we'd want to put on an
installation disk set) will help them make a more educated choice.
Post by Shaya Potter
Debian provides a nice little library called libsafe. While libsafe
isn't perfect, it does provide a real measurable level of security
against buffer overflow attacks. It's also very easy to install (all
one does is install the package and put the library in
/etc/ld.so.preload)
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
There are probably some other packages that also provide some real
security, in a very easy to do manner that we should give users the
option of using. Just having the package available doesn't make users
aware of it.
wondering what other people think,
shaya
--
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
David Starner
2002-04-22 16:42:15 UTC
Permalink
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
It's a hack that invariably will break some other stuff; see
bug #129345, for example.
--
David Starner - ***@okstate.edu
"It's not a habit; it's cool; I feel alive.
If you don't have it you're on the other side."
- K's Choice (probably referring to the Internet)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Andrew Suffield
2002-04-22 16:46:44 UTC
Permalink
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
Because no version of debian will release with it anytime soon;
thusly, modifying any existing installer to do this would be
premature.
Post by Shaya Potter
There are probably some other packages that also provide some real
security, in a very easy to do manner that we should give users the
option of using. Just having the package available doesn't make users
aware of it.
wondering what other people think,
* #129345: libsafe: breaks libgtk1.3-common postinst
* #140144: libsafe: Bypassing libsafe format string protection

I think it's buggy.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ | Dept. of Computing,
`. `' | Imperial College,
`- -><- | London, UK
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-22 17:01:33 UTC
Permalink
Post by Andrew Suffield
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
Because no version of debian will release with it anytime soon;
thusly, modifying any existing installer to do this would be
premature.
Post by Shaya Potter
There are probably some other packages that also provide some real
security, in a very easy to do manner that we should give users the
option of using. Just having the package available doesn't make users
aware of it.
wondering what other people think,
* #129345: libsafe: breaks libgtk1.3-common postinst
* #140144: libsafe: Bypassing libsafe format string protection
I think it's buggy.
The first bug is a possible problem. But LD_PRELOAD in general can be
an issue. i.e. using LD_PRELOAD with libgdkxft causes me serious issues
with building X and using imake (xmkmf) in general. Because libgdkxft
breaks Imake for me, does that mean its buggy? I think its more along
the lines of LD_PRELOAD and dynamic loading being buggy. (as at least 2
seperate instances of ld_preload and libdl I now see as causing
problems)

on the 2nd bug, it was an actual bug in the library, that was fixed.

the current version is 2.0-13, the version in debian is 2.0-9 (debian
release -2)

shaya
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
David Starner
2002-04-22 17:23:27 UTC
Permalink
Post by Shaya Potter
I think its more along
the lines of LD_PRELOAD and dynamic loading being buggy.
And? That makes it no more pleasurable when the system fails you because
of libsafe, nor does it make it more appropriate to use libsafe.
--
David Starner - ***@okstate.edu
"It's not a habit; it's cool; I feel alive.
If you don't have it you're on the other side."
- K's Choice (probably referring to the Internet)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-22 17:37:18 UTC
Permalink
Post by David Starner
Post by Shaya Potter
I think its more along
the lines of LD_PRELOAD and dynamic loading being buggy.
And? That makes it no more pleasurable when the system fails you because
of libsafe, nor does it make it more appropriate to use libsafe.
yes, but the bug might not be in libsafe, though it might be as well. I
never said Debian should make it a default install, but that it should
be at least documented somewhere.

There are multiple "easy" things for debian users to do that can give
them more security. libsafe, the harden-* packages, one can go on and
on. Each has their own pros and cons. We should document this
somewhere.

shaya
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
David Starner
2002-04-22 17:48:56 UTC
Permalink
Post by Shaya Potter
There are multiple "easy" things for debian users to do that can give
them more security.
And libsafe shouldn't have to be one of them. Debian should fix the
heart of the problem instead.
--
David Starner - ***@okstate.edu
"It's not a habit; it's cool; I feel alive.
If you don't have it you're on the other side."
- K's Choice (probably referring to the Internet)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-22 18:03:00 UTC
Permalink
Post by David Starner
Post by Shaya Potter
There are multiple "easy" things for debian users to do that can give
them more security.
And libsafe shouldn't have to be one of them. Debian should fix the
heart of the problem instead.
and how do you recommend debian goes about doing that? I never said we
should force libsafe on users, we should make the methods known, and
libsafe doesn't seem to be a bad thing to bring to the attention of our
users.

why are you so anti libsafe? I never said debian should force it down
peoples throats, I think debian should make all the packages that
provide "easy" security to users known to them.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
David Starner
2002-04-22 18:55:13 UTC
Permalink
Post by Shaya Potter
why are you so anti libsafe?
Because it will make for more bugreports, and if it's in the
installation, they will be by people who don't remember it's there.

Because any problem that it covers up is still there to bite other
Debian users, and should be fixed.

Because I just wrote an "Installation Guide for Debian 3.0" for a class*,
and this would be yet another question added to a fairly complex
install, and another one that I would have to tell them "Just click no".

* Trust me, it's nothing worth looking at. And it was done in Word, no
less, because that's the way the teacher wanted it.

[And please, you can stop CCing me. I read this list.]
--
David Starner - ***@okstate.edu
"It's not a habit; it's cool; I feel alive.
If you don't have it you're on the other side."
- K's Choice (probably referring to the Internet)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Chad Walstrom
2002-04-22 20:13:56 UTC
Permalink
People can install many things now to be LD_PRELOAD'd and not include
that info in the bug reports. A better solution would be to make
encourage people to include LD_PRELOAD info in the bug report.
Libsafe as a tool changes the behavior of the software it polices. Some
programs will quietly continue to work even with buffer overflows and
out of bounds references. For example, commercial applications that we
do not have control of the source code may exit "unexplainably" during a
"mission critical" function.

libsafe as a tool requires that the user is thoroughly educated in the
possible consequences of running the tool. To force this upon a user as
a default may seem like we're helping to protect them. In practice,
we would be forcing draconic security policies upon them.

It's perceived that Debian gets a bum-rap about being "slow to release"
and "hard to integrate commercial applications". Just imagine what
would happen if some desktop pen-jockey tries to run his favorite
desktop application, only to have it silently fail (Yeah, errors log in
~/.gnome-session or ~/.xsession, but our desktop pen-jockey doesn't know
that). "Well, it runs just fine on Red Hat!" would be his quip in a
well meaning, but misrepresented article.

libsafe is a wonderful security tool, yes. Should it be installed by
default? No. Should it's use be encouraged? Yes, but education needs
to go along with this. A basic understanding about the dynamic linker
and program error output is essential to its use.

You and I can piece these things together, but not everyone can. The
user should consiously choose to "break" things.
--
Chad Walstrom <***@wookimus.net> | a.k.a. ^chewie
http://www.wookimus.net/ | s.k.a. gunnarr
Shaya Potter
2002-04-22 20:43:51 UTC
Permalink
I agree completely with what you say. Though in reading the research
paper behind it, I think anything it catches is an actual severe bug in
the program. The interesting thing is, one doesn't have to have libsafe
terminate the application, one can have libsafe just log that it
occured. I agree that even in this mode, it can possibly expose either
bugs in libsafe (or in the program) that would not be exposed otherwise.

On that note, what I think I'm trying to say is, Debian has a lot of
good tools to increase the security of ones system. However, users
don't know about them. I didn't know libsafe was in debian until I
started doing research into buffer overflow attacks. I'm sure there are
plenty of other good tools in debian that one can use to get an easy
security boost. yes, every choice needs to be made in an educated
manner, but what I'm arguing for is that we provide our users with the
information to make those decisions.

the security howto is a start, but it leaves out many things, and I
didn't really know about it until recently either.
Post by Chad Walstrom
People can install many things now to be LD_PRELOAD'd and not include
that info in the bug reports. A better solution would be to make
encourage people to include LD_PRELOAD info in the bug report.
Libsafe as a tool changes the behavior of the software it polices. Some
programs will quietly continue to work even with buffer overflows and
out of bounds references. For example, commercial applications that we
do not have control of the source code may exit "unexplainably" during a
"mission critical" function.
libsafe as a tool requires that the user is thoroughly educated in the
possible consequences of running the tool. To force this upon a user as
a default may seem like we're helping to protect them. In practice,
we would be forcing draconic security policies upon them.
It's perceived that Debian gets a bum-rap about being "slow to release"
and "hard to integrate commercial applications". Just imagine what
would happen if some desktop pen-jockey tries to run his favorite
desktop application, only to have it silently fail (Yeah, errors log in
~/.gnome-session or ~/.xsession, but our desktop pen-jockey doesn't know
that). "Well, it runs just fine on Red Hat!" would be his quip in a
well meaning, but misrepresented article.
libsafe is a wonderful security tool, yes. Should it be installed by
default? No. Should it's use be encouraged? Yes, but education needs
to go along with this. A basic understanding about the dynamic linker
and program error output is essential to its use.
You and I can piece these things together, but not everyone can. The
user should consiously choose to "break" things.
--
http://www.wookimus.net/ | s.k.a. gunnarr
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Colin Walters
2002-04-23 03:33:55 UTC
Permalink
I'll try to avoid cc'ing, its just a pain with evolution (no mailing
list hook type thing that mutt has), with only reply-to and reply-to-all
Are you saying the "Reply to List" button under "Actions" doesn't do
what you want?
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-23 05:06:50 UTC
Permalink
oooo. didn't know about that, but stupid bonobo doesn't let one change
the toolbar. as this would be a nice thing. :(
Post by Colin Walters
I'll try to avoid cc'ing, its just a pain with evolution (no mailing
list hook type thing that mutt has), with only reply-to and reply-to-all
Are you saying the "Reply to List" button under "Actions" doesn't do
what you want?
--
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-22 19:27:09 UTC
Permalink
Post by David Starner
Post by Shaya Potter
why are you so anti libsafe?
Because it will make for more bugreports, and if it's in the
installation, they will be by people who don't remember it's there.
a fair statement, though I disagree with the conclusion. People can
install many things now to be LD_PRELOAD'd and not include that info in
the bug reports. A better solution would be to make encourage people to
include LD_PRELOAD info in the bug report.
Post by David Starner
Because any problem that it covers up is still there to bite other
Debian users, and should be fixed.
I don't disagree with the fact that the problem should be fixed, but I
don't see how that works against libsafe?
Post by David Starner
Because I just wrote an "Installation Guide for Debian 3.0" for a class*,
and this would be yet another question added to a fairly complex
install, and another one that I would have to tell them "Just click no".
why? if they are worried about the overhead, ok, possibly a good
reason. If they are worried about it breaking programs, again possibly
a good reason. But then again, I'm running it on my laptop without much
of an issue to either.

I'll try to avoid cc'ing, its just a pain with evolution (no mailing
list hook type thing that mutt has), with only reply-to and reply-to-all
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-22 21:20:40 UTC
Permalink
Post by Shaya Potter
why are you so anti libsafe?
Because it's the wrong to increase security. You should increase
security by learning how to code, not by using a library to provide
workarounds for your mistakes. If you provide such a library,
people get lazy and just think "libsafe will catch it". We should fix
buffer overflows, not provide workarounds for it.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Jeroen Dekkers
2002-04-22 21:30:16 UTC
Permalink
Post by Jeroen Dekkers
Post by Shaya Potter
why are you so anti libsafe?
Because it's the wrong to increase security. You should increase
^^^^^ it should be: "the wrong way to..."
Post by Jeroen Dekkers
security by learning how to code, not by using a library to provide
workarounds for your mistakes. If you provide such a library,
people get lazy and just think "libsafe will catch it". We should fix
buffer overflows, not provide workarounds for it.
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Shaya Potter
2002-04-22 21:31:40 UTC
Permalink
I assume you means it's the wrong way to increase security. I disagree
with you. libsafe and good code are 100% orthogonal issues. good code
is the security blanket, libsafe is the safety net. One should never
say "libsafe will catch it" as libsafe isn't perfect, but it provided a
safety net to those who either get hit before they can patch, or
actually get hit by the actual new attack.

Lets say one is an administrator of his own machine on a cable modem.
Lets say that person is in the middle of finals, or ends up in the
hospital and is unable to update his machine. Something like libsafe can
provide a real boost in security.

How many machines are hacked on a daily basis that libsafe could have
protected against (and in fact warn the administrator of the machine
that they have an insecure application). Any system administrator who
relies on libsafe alone to provide him protection, is a not so
intelligent system administrator, but any system administrator who
doesn't consider the pros (as well as the cons) of using libsafe is also
not doing his job. If the cons are too great for someone, i can accept
that they wont use it. But to say that there's a security reason not to
use it, to me seems like a very weak argument.

shaya
Post by Jeroen Dekkers
Post by Shaya Potter
why are you so anti libsafe?
Because it's the wrong to increase security. You should increase
security by learning how to code, not by using a library to provide
workarounds for your mistakes. If you provide such a library,
people get lazy and just think "libsafe will catch it". We should fix
buffer overflows, not provide workarounds for it.
Jeroen Dekkers
--
Debian GNU supporter - http://www.debian.org http://www.gnu.org
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-22 21:49:03 UTC
Permalink
Post by Shaya Potter
I assume you means it's the wrong way to increase security. I disagree
with you. libsafe and good code are 100% orthogonal issues. good code
is the security blanket, libsafe is the safety net.
No, good code doesn't have buffer overflows. You should just use
dynamic allocation and memcpy() for example.
Post by Shaya Potter
One should never
say "libsafe will catch it" as libsafe isn't perfect, but it provided a
safety net to those who either get hit before they can patch, or
actually get hit by the actual new attack.
You should always patch, because you already say you can't rely on
libsafe. Now you make people lazy by thinking "no need to hurry to
patch, libsafe will catch it". And people think like that, it doesn't
matter if they should not think that way.
Post by Shaya Potter
Lets say one is an administrator of his own machine on a cable modem.
Lets say that person is in the middle of finals, or ends up in the
hospital and is unable to update his machine. Something like libsafe can
provide a real boost in security.
Let's talk about more people than 0.0000001% of our users.
Post by Shaya Potter
How many machines are hacked on a daily basis that libsafe could have
protected against (and in fact warn the administrator of the machine
that they have an insecure application). Any system administrator who
relies on libsafe alone to provide him protection, is a not so
intelligent system administrator,
I don't think libsafe will protect most of those systems. If libsafe
is needed to warn an administrator that his machine has an insecure
application then there is already something wrong. Any administrator
who takes his job serious reads about security updated and patches his
software.
Post by Shaya Potter
but any system administrator who
doesn't consider the pros (as well as the cons) of using libsafe is also
not doing his job.
True, he will consider it and and he is smart enough he won't install it.
Post by Shaya Potter
If the cons are too great for someone, i can accept
that they wont use it. But to say that there's a security reason not to
use it, to me seems like a very weak argument.
I'm talking about that's wrong to provide it in the first place. And
it *could* cause security problems.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Jeff Licquia
2002-04-22 22:26:17 UTC
Permalink
Post by Jeroen Dekkers
Post by Shaya Potter
I assume you means it's the wrong way to increase security. I disagree
with you. libsafe and good code are 100% orthogonal issues. good code
is the security blanket, libsafe is the safety net.
No, good code doesn't have buffer overflows. You should just use
dynamic allocation and memcpy() for example.
Spoken like a good developer.

Unfortunately, no one is perfect. Are you claiming the title? If you
are, thanks for letting us know; we need to start auditing all of your
projects right away. :-)

The best security plan makes use of layers. This way, a screwup on one
layer has a chance of being compensated for on another. That's why we
still have both tcp-wrappers and ipchains, for example.

So, if libsafe may potentially stop other people's screwups (maybe even
yours) from causing me problems, it's got my vote. Especially if it
warns me whenever it finds one.

[Note: I am not taking a position on whether libsafe should be Required,
or whether it lives up to its design, or anything like that.]
Post by Jeroen Dekkers
You should always patch, because you already say you can't rely on
libsafe. Now you make people lazy by thinking "no need to hurry to
patch, libsafe will catch it". And people think like that, it doesn't
matter if they should not think that way.
"lazy"?

Have you ever been a sysadmin professionally?
Post by Jeroen Dekkers
Post by Shaya Potter
Lets say one is an administrator of his own machine on a cable modem.
Lets say that person is in the middle of finals, or ends up in the
hospital and is unable to update his machine. Something like libsafe can
provide a real boost in security.
Let's talk about more people than 0.0000001% of our users.
Alright. Let's talk about a sysadmin who is:

- frantically finding hotfixes for the WinXP security hole management
forced upon him,

- taking calls from users with questions like "why do you click Start
to shut down your machine?" or "my cupholder broke" or "what do I do
when the printer says 'Out of Paper' and won't print?",

- doing virus repair on a bunch of client boxes because the secretary
clicked on the little icon "so I could give that guy some advice",

- already working an average of 20 hours per week overtime because of
stuff like the above,

- etc.

If you feel the need to assert that this is only 0.00001% more of our
users, please make sure you cross-post that to debian-user. I suspect
you'll get an education. :-)
Post by Jeroen Dekkers
I don't think libsafe will protect most of those systems. If libsafe
is needed to warn an administrator that his machine has an insecure
application then there is already something wrong. Any administrator
who takes his job serious reads about security updated and patches his
software.
If libsafe warns when an app buffer-overflows, then consider this:
libsafe may be finding a problem no one else has yet. Or, possibly, a
problem that only the black hats know about at the moment.

That would be a very valuable service.

Also, see the point above concerning overworked sysadmins.
Post by Jeroen Dekkers
Post by Shaya Potter
If the cons are too great for someone, i can accept
that they wont use it. But to say that there's a security reason not to
use it, to me seems like a very weak argument.
I'm talking about that's wrong to provide it in the first place. And
it *could* cause security problems.
Perhaps libsafe isn't really useful yet. Maybe it won't ever be. If
you think this is the case solely because of its design, well, provide
some evidence.

As for the "it could cause security problems" thing, well, so could any
software you install. Why is libsafe so special that it doesn't deserve
to exist because it might have flaws?
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-23 12:44:57 UTC
Permalink
Post by Jeff Licquia
Post by Jeroen Dekkers
Post by Shaya Potter
I assume you means it's the wrong way to increase security. I disagree
with you. libsafe and good code are 100% orthogonal issues. good code
is the security blanket, libsafe is the safety net.
No, good code doesn't have buffer overflows. You should just use
dynamic allocation and memcpy() for example.
Spoken like a good developer.
Unfortunately, no one is perfect. Are you claiming the title? If you
are, thanks for letting us know; we need to start auditing all of your
projects right away. :-)
I don't think you will find buffer overflows in my code. At least not
any overflow libsafe would protect against. If you don't want to know
all details of string manipulation use a higher level language. If
you want to program C and want to manipulate strings do it right.
Post by Jeff Licquia
The best security plan makes use of layers. This way, a screwup on one
layer has a chance of being compensated for on another. That's why we
still have both tcp-wrappers and ipchains, for example.
The best security thing is to write clean code and make the system
less vulnerable by the design of the system.
Post by Jeff Licquia
So, if libsafe may potentially stop other people's screwups (maybe even
yours) from causing me problems, it's got my vote. Especially if it
warns me whenever it finds one.
My screwups? I use dynamic allocation and memcpy(), I don't know how
libsafe wants to protect against my screwups.
Post by Jeff Licquia
Post by Jeroen Dekkers
Post by Shaya Potter
Lets say one is an administrator of his own machine on a cable modem.
Lets say that person is in the middle of finals, or ends up in the
hospital and is unable to update his machine. Something like libsafe can
provide a real boost in security.
Let's talk about more people than 0.0000001% of our users.
If you feel the need to assert that this is only 0.00001% more of our
users, please make sure you cross-post that to debian-user. I suspect
you'll get an education. :-)
I was talking about the percent of those ending up in the hospital
being unable to update the machine.
Post by Jeff Licquia
Post by Jeroen Dekkers
I don't think libsafe will protect most of those systems. If libsafe
is needed to warn an administrator that his machine has an insecure
application then there is already something wrong. Any administrator
who takes his job serious reads about security updated and patches his
software.
libsafe may be finding a problem no one else has yet. Or, possibly, a
problem that only the black hats know about at the moment.
That would be a very valuable service.
Every programmer with a little bit of experience can find the problems
libsafe tries to protect you from. It only checks some functions of
being misused. The list of functions according to the REAME are:
strcpy()
strcat()
getwd()
gets()
[vf]scanf()
realpath()
[v]sprintf()

Those functions are actually the most obvious buffer overflows. If
programs with this kind of buffer overflows, I wonder what kind of
other security programs it has. Saying that libsafe doesn't protect
against buffer overflows is general, only the most obvious ones. It
even gives you a false feeling of being secure.

Note that getwd() and realpath() will fail on the Hurd anyhow because
those function rely on the existance of PATH_MAX.
Post by Jeff Licquia
Post by Jeroen Dekkers
Post by Shaya Potter
If the cons are too great for someone, i can accept
that they wont use it. But to say that there's a security reason not to
use it, to me seems like a very weak argument.
I'm talking about that's wrong to provide it in the first place. And
it *could* cause security problems.
Perhaps libsafe isn't really useful yet. Maybe it won't ever be. If
you think this is the case solely because of its design, well, provide
some evidence.
As for the "it could cause security problems" thing, well, so could any
software you install. Why is libsafe so special that it doesn't deserve
to exist because it might have flaws?
It doesn't deserve to exist because the time should be spend fixing
bugs and learning how to write good code instead of making workarounds
for stupid programmer bugs.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Jeff Licquia
2002-04-23 14:47:56 UTC
Permalink
Post by Jeroen Dekkers
Post by Jeff Licquia
Unfortunately, no one is perfect. Are you claiming the title? If you
are, thanks for letting us know; we need to start auditing all of your
projects right away. :-)
I don't think you will find buffer overflows in my code. At least not
any overflow libsafe would protect against. If you don't want to know
all details of string manipulation use a higher level language. If
you want to program C and want to manipulate strings do it right.
You didn't get my joke, even with the smiley. This could mean that you
just don't have a sense of humor, or it could mean that you're
dangerous.

If you really believe that you're incapable of making mistakes just
because you know something about the (im)proper use of strcpy(), then
you're an accident waiting to happen.
Post by Jeroen Dekkers
Post by Jeff Licquia
The best security plan makes use of layers. This way, a screwup on one
layer has a chance of being compensated for on another. That's why we
still have both tcp-wrappers and ipchains, for example.
The best security thing is to write clean code and make the system
less vulnerable by the design of the system.
This is absolutely, positively incorrect. Nothing could be further from
the truth.

If your security model depends on everyone doing design and code work
being perfect, then your security fails the moment someone makes a
mistake. This means your security falls fairly quickly, since everyone
overlooks things, makes mistakes, etc. OTOH, if you design your
security system in a layered fashion, with failsafes, then there's a
chance that your mistake will be covered by some other check. If the
other failsafe logs its activation, so much the better; you'll be
notified of a problem in your code, and you can fix it.

I'm not faulting clean code and good design here. Every little bit
helps. But you're a fool if you trust in clean code and clean design as
your primary security bulwark.
Post by Jeroen Dekkers
Every programmer with a little bit of experience can find the problems
libsafe tries to protect you from. It only checks some functions of
strcpy()
strcat()
getwd()
gets()
[vf]scanf()
realpath()
[v]sprintf()
Those functions are actually the most obvious buffer overflows. If
programs with this kind of buffer overflows, I wonder what kind of
other security programs it has. Saying that libsafe doesn't protect
against buffer overflows is general, only the most obvious ones. It
even gives you a false feeling of being secure.
I'll take your word for it, though I am suspicious. (strcpy() isn't
always a security hole, for example; it's possible to use it safely,
even if there are better ways to do the same thing.)

My main objection in this whole thread are these ideas you seem to have
that:

- new ideas aren't worth trying

- incomplete ideas aren't worth expanding upon

- you're incapable of making stupid mistakes

The former two just mean that you're cranky, but the last is troubling.
There are a lot of examples of people in history who made stupid
mistakes because they had an inflated sense of their own infallibility.

You should always have an innate fear of your own code, and should
always suspect it to be riddled with errors; that will prompt you to
look for them more closely. That is Rule One of secure programming.
The moment you catch yourself saying "I'd never do that" is the moment
you should do penance for having such thoughts.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
David Starner
2002-04-23 15:28:38 UTC
Permalink
Post by Jeff Licquia
If you really believe that you're incapable of making mistakes just
because you know something about the (im)proper use of strcpy(), then
you're an accident waiting to happen.
He did mention higher-level languages. In almost all of the ALGOL, LISP,
and "scripting" family languages, buffer overflows in your code are
impossible, so long as you don't turn off bounds checking and don't
interface with unsafe languages.
--
David Starner - ***@okstate.edu
"It's not a habit; it's cool; I feel alive.
If you don't have it you're on the other side."
- K's Choice (probably referring to the Internet)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-23 15:33:00 UTC
Permalink
Post by Jeff Licquia
Post by Jeroen Dekkers
Post by Jeff Licquia
Unfortunately, no one is perfect. Are you claiming the title? If you
are, thanks for letting us know; we need to start auditing all of your
projects right away. :-)
I don't think you will find buffer overflows in my code. At least not
any overflow libsafe would protect against. If you don't want to know
all details of string manipulation use a higher level language. If
you want to program C and want to manipulate strings do it right.
You didn't get my joke, even with the smiley. This could mean that you
just don't have a sense of humor, or it could mean that you're
dangerous.
If you really believe that you're incapable of making mistakes just
because you know something about the (im)proper use of strcpy(), then
you're an accident waiting to happen.
I don't use strcpy() at all. I don't see how you can easily make
buffer overflows with memcpy().
Post by Jeff Licquia
Post by Jeroen Dekkers
Post by Jeff Licquia
The best security plan makes use of layers. This way, a screwup on one
layer has a chance of being compensated for on another. That's why we
still have both tcp-wrappers and ipchains, for example.
The best security thing is to write clean code and make the system
less vulnerable by the design of the system.
This is absolutely, positively incorrect. Nothing could be further from
the truth.
If your security model depends on everyone doing design and code work
being perfect, then your security fails the moment someone makes a
mistake.
I don't see it's the *only* thing. But it's the best way to
start. With a clean, commented source code auditing is a lot easier
for example.
Post by Jeff Licquia
This means your security falls fairly quickly, since everyone
overlooks things, makes mistakes, etc. OTOH, if you design your
security system in a layered fashion, with failsafes, then there's a
chance that your mistake will be covered by some other check. If the
other failsafe logs its activation, so much the better; you'll be
notified of a problem in your code, and you can fix it.
I'm not faulting clean code and good design here. Every little bit
helps. But you're a fool if you trust in clean code and clean design as
your primary security bulwark.
If you don't give any permissions to some code running, it can't be a
security problem if there are bugs. For example, by eliminating the
need for suids binaries, you avoid any security problem they could
cause if they have bugs. If you avoid having to run some kind of
server like a ftp daemon as root, it isn't a security problem if there
is some bug. I think this works better than some library which checks
every function call to look for mistakes.
Post by Jeff Licquia
My main objection in this whole thread are these ideas you seem to have
- new ideas aren't worth trying
Of course it is, as long as the ideas aren't obvious bad.
Post by Jeff Licquia
- incomplete ideas aren't worth expanding upon
I'm talking about the wrong base of the idea.
Post by Jeff Licquia
- you're incapable of making stupid mistakes
I didn't say that. But if I don't use those functions at all, how can
I make mistakes with those functions?
Post by Jeff Licquia
The former two just mean that you're cranky, but the last is troubling.
There are a lot of examples of people in history who made stupid
mistakes because they had an inflated sense of their own infallibility.
You are thinking I have that. I have nerver said it however.
Post by Jeff Licquia
You should always have an innate fear of your own code, and should
always suspect it to be riddled with errors; that will prompt you to
look for them more closely. That is Rule One of secure programming.
The moment you catch yourself saying "I'd never do that" is the moment
you should do penance for having such thoughts.
I'm talking about the faults libsafe would catch. If you make such
faults, you should learn what's going on or use a higher level
language. C is made for programmers who know what they are doing.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Colin Watson
2002-04-23 22:20:13 UTC
Permalink
Post by Jeroen Dekkers
If you don't give any permissions to some code running, it can't be a
security problem if there are bugs.
Not true. If I crack your FTP server and subvert it into serving content
it wasn't intended to serve, then that's a security breach. Whether I
managed to gain root privileges too is a separate issue.

Thinking that privilege elevation is the only kind of security breach is
dangerous, as it lulls programmers into complacency.
--
Colin Watson [***@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-24 14:30:53 UTC
Permalink
Post by Colin Watson
Post by Jeroen Dekkers
If you don't give any permissions to some code running, it can't be a
security problem if there are bugs.
Not true. If I crack your FTP server and subvert it into serving content
it wasn't intended to serve, then that's a security breach. Whether I
managed to gain root privileges too is a separate issue.
If you don't give write access to the content, it can't modify
that. Of course you could let it serve other content in theory, but in
practice it's a lot more difficult (and maybe impossible, but I'm not
sure about that, as I don't know all the small details and how clever
things you can do). If possible the impact would be smaller, because
it's impossible to modify the files.
Post by Colin Watson
Thinking that privilege elevation is the only kind of security breach is
dangerous, as it lulls programmers into complacency.
True, but it one of the important security problems IMHO.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Colin Watson
2002-04-24 14:55:24 UTC
Permalink
Post by Jeroen Dekkers
Post by Colin Watson
Post by Jeroen Dekkers
If you don't give any permissions to some code running, it can't be a
security problem if there are bugs.
Not true. If I crack your FTP server and subvert it into serving content
it wasn't intended to serve, then that's a security breach. Whether I
managed to gain root privileges too is a separate issue.
If you don't give write access to the content, it can't modify
that. Of course you could let it serve other content in theory, but in
practice it's a lot more difficult (and maybe impossible, but I'm not
sure about that, as I don't know all the small details and how clever
things you can do). If possible the impact would be smaller, because
it's impossible to modify the files.
Once you have access to the uid under which the server is running you
can do whatever you like to it, including modifying all the content
passing through it by wrapping all its read() or write() calls. Even if
you can't restart the process, playing around with it with the aid of
ptrace() is merely fiddly.

Moving from remote to local is not perhaps as obviously dangerous as
moving from ordinary user to root user, but it should never be discarded
as a threat.
--
Colin Watson [***@flatline.org.uk]
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Mark Eichin
2002-04-24 01:00:55 UTC
Permalink
Post by Jeroen Dekkers
language. C is made for programmers who know what they are doing.
No, C is made for researchers who wanted a simple way to write code
that worked on two or three different machines.

The fact that it has been pushed so far (granted, with help from POSIX
to nail down the "creative" things various vendors did to it to make
it usable, like prototypes) is a tribute to the ingenuity of some, and
the stubborn persistence of many more. That doesn't make it a *good*
thing. As has been pointed out, many languages (insert standard Ada95
rant here, not just "scripting" languages) make the set of problems
libsafe fixes go away *by definition*. You simply can't express the
kind of error they imply, and you don't need to be able to. (Sure,
Ada gives you some "pragma shoot-myself-in-this-foot-too" options, but
they're not part of the mainstream use of the language, and they're
not the "obvious" way to do *anything*... and yet, Ada is still
flexible enough to implement operating system kernels on twisted
mutant intel hardware...)
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-24 14:20:19 UTC
Permalink
Post by Mark Eichin
Post by Jeroen Dekkers
language. C is made for programmers who know what they are doing.
No, C is made for researchers who wanted a simple way to write code
that worked on two or three different machines.
To quote K&R: "Nevertheless, C retains the basic philosophy that
programmers know what they are doing."

And C is portable, fast and flexible. It's just a little bit higher
leven than assembly.
Post by Mark Eichin
The fact that it has been pushed so far (granted, with help from POSIX
to nail down the "creative" things various vendors did to it to make
it usable, like prototypes)
I guess you mean ANSI here.
Post by Mark Eichin
is a tribute to the ingenuity of some, and
the stubborn persistence of many more. That doesn't make it a *good*
thing.
I think the C language is a pretty good thing. The problem is that
people try to use it for things it isn't made for. And maybe it is
just getting a bit old.
Post by Mark Eichin
As has been pointed out, many languages (insert standard Ada95
rant here, not just "scripting" languages) make the set of problems
libsafe fixes go away *by definition*. You simply can't express the
kind of error they imply, and you don't need to be able to. (Sure,
Ada gives you some "pragma shoot-myself-in-this-foot-too" options, but
they're not part of the mainstream use of the language, and they're
not the "obvious" way to do *anything*... and yet, Ada is still
flexible enough to implement operating system kernels on twisted
mutant intel hardware...)
I don't know Ada, so I can't comment on it.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Mark Eichin
2002-04-24 17:47:45 UTC
Permalink
Post by Jeroen Dekkers
I guess you mean ANSI here.
Yeah, ANSI (followed by IEEE directly.)
Post by Jeroen Dekkers
I think the C language is a pretty good thing.
Then you should broaden your horizons; C doesn't stand up to much
comparison, it's just *common*, and people often don't *get* to a
second language. It's like only knowing English...
Post by Jeroen Dekkers
The problem is that people try to use it for things it isn't made
for.
Yes, like things other than "research grade kernel hacking", and
"small research apps" on top of that.
Post by Jeroen Dekkers
I don't know Ada, so I can't comment on it.
I recommend you look into it. Even if you don't use it, you can learn
much from the type of accidents "built in" to C that Ada95 avoids
*purely by choice of syntax*, without even getting into sophisticated
features. This is not the place for me to go into further details,
though, this thread has dragged on. But it's certainly the case that
most linux advisories [not all, we are getting to *some* of the subtle
ones] are about bugs that you can't accidently express in any other
language [for the purposes of this issue, C++ isn't a distinct
language :-)]
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Brian May
2002-04-25 00:23:19 UTC
Permalink
Post by Mark Eichin
I recommend you look into it. Even if you don't use it, you can learn
much from the type of accidents "built in" to C that Ada95 avoids
*purely by choice of syntax*, without even getting into sophisticated
features. This is not the place for me to go into further details,
though, this thread has dragged on. But it's certainly the case that
most linux advisories [not all, we are getting to *some* of the subtle
ones] are about bugs that you can't accidently express in any other
language [for the purposes of this issue, C++ isn't a distinct
language :-)]
One thing I really like about Ada (although I confess, I hardly ever
have used it) is the strong enumerated types.

So you really can assign a variable a non-string value like "secure",
"unsecure", "unknown", instead of mapping the values to integers (like
in C, C++ or Java). The compiler takes care of the mapping for you, and
prevents you assigning a value from a non-compatable type.

Also, you don't have problems with "int" meaning different things on
different platforms, in Ada, you tell the compiler what range you want,
it it takes care of what type to use.

The only major downside I can think of in Ada, is that I have never
written any object orientated code, and to me (at least last time I
looked), it seemed kind of messy...

I seem to remember linking into third party modules isn't quite as
convenient as with C either.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Thomas Bushnell, BSG
2002-04-24 05:00:30 UTC
Permalink
Post by Jeroen Dekkers
C is made for programmers who know what they are doing.
Programmers who know what they are doing strive very hard to avoid
using C...
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
T.Pospisek's MailLists
2002-04-23 06:02:17 UTC
Permalink
Post by Jeroen Dekkers
You should always patch, because you already say you can't rely on
libsafe. Now you make people lazy by thinking "no need to hurry to
patch, libsafe will catch it". And people think like that, it doesn't
matter if they should not think that way.
You should allways drive safely because you already say you can't rely on
safety belts. Now you make people lazy by thinking "no need to drive
safely, the safety belt will save me". And people think like that, it
doesn't matter if they should not think that way.
*t

----------------------------------------------------------------------------
Tomas Pospisek
SourcePole - Linux & Open Source Solutions
http://sourcepole.ch
Elestastrasse 18, 7310 Bad Ragaz, Switzerland
Tel: +41 (81) 330 77 11
----------------------------------------------------------------------------
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Shaya Potter
2002-04-22 18:10:45 UTC
Permalink
There is a securing debian howto, but no mention of libsafe, though it
does mention harden. Is there a reference to this from the install
documentation?
Post by Shaya Potter
Post by David Starner
Post by Shaya Potter
There are multiple "easy" things for debian users to do that can give
them more security.
And libsafe shouldn't have to be one of them. Debian should fix the
heart of the problem instead.
and how do you recommend debian goes about doing that? I never said we
should force libsafe on users, we should make the methods known, and
libsafe doesn't seem to be a bad thing to bring to the attention of our
users.
why are you so anti libsafe? I never said debian should force it down
peoples throats, I think debian should make all the packages that
provide "easy" security to users known to them.
--
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Josip Rodin
2002-04-22 21:25:46 UTC
Permalink
Post by Shaya Potter
There are multiple "easy" things for debian users to do that can give
them more security. libsafe, the harden-* packages, one can go on and
on.
... not selecting "traditional Unix server" task... :)
--
2. That which causes joy or happiness.
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jeroen Dekkers
2002-04-22 17:23:26 UTC
Permalink
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
The Debian installer asks that together with all the other packages an
user might want to install.

Jeroen Dekkers
--
Jabber supporter - http://www.jabber.org Jabber ID: ***@jabber.org
Debian GNU supporter - http://www.debian.org http://www.gnu.org
IRC: ***@openprojects
Shaya Potter
2002-04-22 17:35:07 UTC
Permalink
Post by Jeroen Dekkers
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
The Debian installer asks that together with all the other packages an
user might want to install.
I've been using Debian since 1995 or 96, and back in the olden days
where there were maybe 600 packages, yea, you could say it was possible
for a user to go through every package. In todays day and age of
multiple thousands of packages in debian if a user doesn't know about a
package, they won't install it as it takes too long to go through each
package (the only way I'm able to stay up to date with everything is by
using aptitude's update,flush mechanism and dpkg --get/set-selections)

I think if we dont put it in the installer, putting it in the
documentation as a "What can you do to increase the security of your
debian system" section with pros and cons for the different things,
would be very useful.

shaya
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Ola Lundqvist
2002-04-22 20:44:47 UTC
Permalink
Post by Shaya Potter
Post by Jeroen Dekkers
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
The Debian installer asks that together with all the other packages an
user might want to install.
I've been using Debian since 1995 or 96, and back in the olden days
where there were maybe 600 packages, yea, you could say it was possible
for a user to go through every package. In todays day and age of
multiple thousands of packages in debian if a user doesn't know about a
package, they won't install it as it takes too long to go through each
package (the only way I'm able to stay up to date with everything is by
using aptitude's update,flush mechanism and dpkg --get/set-selections)
You are right, but then you should get it added to some task or
to some other meta package, like harden. The meta-packages are not easy
to find either, though.
Post by Shaya Potter
I think if we dont put it in the installer, putting it in the
documentation as a "What can you do to increase the security of your
debian system" section with pros and cons for the different things,
would be very useful.
Agreed. If you think it is good enough I'll add it to harde-environment.
If you want that, please file a wishlist bug against that pacakge.

Regards,

// Ola
Post by Shaya Potter
shaya
--
--
--------------------- Ola Lundqvist ---------------------------
/ ***@debian.org Björnkärrsgatan 5 A.11 \
| ***@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Shaya Potter
2002-04-22 21:14:54 UTC
Permalink
Post by Ola Lundqvist
Post by Shaya Potter
Post by Jeroen Dekkers
Post by Shaya Potter
Is there any good reason why an install of Debian should not ask the
user if they want to install libsafe, and give them reasons why they
would want to, and possibly not want to (overhead....)
The Debian installer asks that together with all the other packages an
user might want to install.
I've been using Debian since 1995 or 96, and back in the olden days
where there were maybe 600 packages, yea, you could say it was possible
for a user to go through every package. In todays day and age of
multiple thousands of packages in debian if a user doesn't know about a
package, they won't install it as it takes too long to go through each
package (the only way I'm able to stay up to date with everything is by
using aptitude's update,flush mechanism and dpkg --get/set-selections)
You are right, but then you should get it added to some task or
to some other meta package, like harden. The meta-packages are not easy
to find either, though.
Post by Shaya Potter
I think if we dont put it in the installer, putting it in the
documentation as a "What can you do to increase the security of your
debian system" section with pros and cons for the different things,
would be very useful.
Agreed. If you think it is good enough I'll add it to harde-environment.
If you want that, please file a wishlist bug against that pacakge.
Regards,
// Ola
yes, that sounds good. And I think we should have a reference to your
security howto in the installation if its not there already.

shaya
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Wilmer van der Gaast
2002-04-23 06:46:40 UTC
Permalink
Isn't a buffer overflow protection especially useful for daemons and
set-uid programs? And .. Well.. Ever tried to use LD_PRELOAD with
set-uid binaries?

When you really need this, it probably won't work.
--
*=-+-______________________
|lintux-@t-lintux-d0t-cx: _ Ugh! Nio2f says something: ______
: http://www.lintux.cx/ | / why the an a not to install of do \
~~~~~~~~~~~~~~~~~~~~~~-+-=-+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+-=*
--
To UNSUBSCRIBE, email to debian-devel-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Loading...