From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 4284EDC18D4 for ; Wed, 11 Apr 2012 11:16:21 +0000 (UTC) Received: by vbmv11 with SMTP id v11so726386vbm.13 for ; Wed, 11 Apr 2012 04:16:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=5pRRmYeqJYHMUJyOVvR/PA+W96kKOnjJh2xqQty7Pzs=; b=fSvft3vZ5GXEsn9eQ4YDuUNRCIUTIidP5VnviktEZoy7cWKMyQXgnHZHutT5HoiXil YhzCQp9kMSZkySpvV01SXfsxElKp5Y9zmTG1E4TqYV39FQc+V+uGgvHGOoIjrDLKxqVQ rItsIKUs18OpuHj2INJdtNMfmXZ5oaDQLFtDwmcp17YZio2bvoBwErRd7xPukU3QyvYD NUX8s6Z04wJCzGkLrmXVoBUMYN1R7OljB0VugE+kj1N5UEj2AWDTmiv0+yhhkzswI6p1 4bPDNuEkRHwIRxYBy48UrACYvud/6oqwSh3LZ+8shpnvaOjwN/guicGqHs7/ilYkALlI c/1w== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.220.150.142 with SMTP id y14mr4564545vcv.47.1334142981204; Wed, 11 Apr 2012 04:16:21 -0700 (PDT) Received: by 10.52.170.103 with HTTP; Wed, 11 Apr 2012 04:16:21 -0700 (PDT) Date: Wed, 11 Apr 2012 11:16:21 +0000 Message-ID: Subject: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) From: William Pitcock To: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnYdj6ZDVbsxzhiiOv++cwuy5C5ZmhRTr+nHZRpfmhzeH/+payjb9eSoUmP+7X7OgGbr2ct Hi, As a side project, I have been building a GNU/Linux distribution based ontop of some of the components of Alpine (alpine-conf, apk-tools). It is based on glibc 2.15 and systemd, so administration is comparable to a Debian wheezy system with systemd-sysv installed. The code (including a fully cross-compatible systemd packaging for both Alpine and Sonnet with full modloop compatibility) is available here: http://github.com/sonnet-linux A simple website containing information about the distribution can be found here: http://sonnet.dereferenced.org/ Right now I am targeting only the x86_64 architecture. x86 will come next weekend once we get everything stabilized. This is a very early stage distribution, many branding changes are needed still. I intend to merge some work into aports/alpine-conf to make rebranding of derivatives easier. I also have work in that specific aports tree that enables one to build the distribution with glibc or uclibc by using a single environment variable, which will also be merged shortly. If hacking on a GNU/Linux desktop-optimized distribution built ontop of parts of Alpine interests you, then download an ISO and start sending me pull requests. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from nm11-vm0.bullet.mail.ukl.yahoo.com (nm11-vm0.bullet.mail.ukl.yahoo.com [217.146.183.244]) by mail.alpinelinux.org (Postfix) with SMTP id DBEFFDC1A82 for ; Wed, 11 Apr 2012 12:17:13 +0000 (UTC) Received: from [217.146.183.183] by nm11.bullet.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 12:17:12 -0000 Received: from [77.238.184.73] by tm14.bullet.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 12:17:12 -0000 Received: from [127.0.0.1] by smtp142.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 12:17:12 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1334146632; bh=BCBKj9Xr7IFX3qUtDt+/tfkaSGEevBkdfGhXuQnUdiM=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Subject:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=xAhCpgfLC6i+QjSAVFmrpFbVzrQElhRd4PtfqUOTPwtImFYmtaf/vo3ArG/Hhc5oIGt0e0KRYdSdyDuNqgSdrZUFOtaCm8PauouHhErvfWsWHBsiiiTsWPUB85O7DYwspJJzIqq26EM3jxaRf5Ja5Z6JDlUQNW9HuYS8zUDBwSE= X-Yahoo-Newman-Id: 965117.94628.bm@smtp142.mail.ukl.yahoo.com Message-ID: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: YztY4RcVM1lfRNxDOHlGGjz7CTYB7oE8kyY4mptjDzgwuSJ ttNdxsudHC5np_UVT2isXw0fCuMUfPrjBYhmXCwoxuVcIeuVOcJYqjsNsPL7 Xi633d4SWuvMPEiEl1FUikIpcrk_3MKue4h0mf7hEValSCmIEukWhCL.YGx1 ls1wXXIaODKcHifVI_a_Gh64KhxaWlnH6yAJH0GID.pxtsAQ6mxu7x7GeOZA vfNSdcOxxOJxvH3IzQmcKFcPvYMxTn_j_DhdCb5hn2qgJUB9ZKEkugB9ZV6N jpUtRcZvkqb6nnvr5d3lIQwCbphIDooz5jRQx1vCxTgRTaOeAJQftPk8A5Zd aVjzyc37QZOUtQop1tzxBk0Bzi5f5NJarSuYzI1ejtWzMKhjb74zJrlWWk9V JKp.PhNjPSyQqbsRLJHOHfoIDZREV2ZByF4.Fp7fO8PClILyjtA1AxhUca5I dIh4LSbdhjhL_qs1MgQ-- X-Yahoo-SMTP: UxXxlhuswBC4wbdewolpwSmT1iJVzQ-- Received: from sprat (ma1l1ists@92.27.156.6 with login) by smtp142.mail.ukl.yahoo.com with SMTP; 11 Apr 2012 12:17:12 +0000 GMT Date: Wed, 11 Apr 2012 14:17:38 +0100 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) In-Reply-To: References: X-Mailer: KeVs Mailer X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 11 Apr 2012 11:16:21 +0000 William Pitcock wrote: > A simple website containing information about the distribution can be > found here: > > http://sonnet.dereferenced.org/ Any plans for a grsecurity/pax enabled kernel? I jumped to arch for desktops basically for glibc/flash (sandboxed in a hardly used firefox) and am quite happy. I'll certainly keep an eye on it though. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 1DA00DC1A82 for ; Wed, 11 Apr 2012 12:24:37 +0000 (UTC) Received: by lbbgj3 with SMTP id gj3so829377lbb.13 for ; Wed, 11 Apr 2012 05:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hzit6cd5UyW98gLr/YDwmEMvREyhfBpYYDhhJvacHSk=; b=b6r/fFCXvmhVxuzjf0zhlnzz62DVCCCrvMfed5QwVxjSjExBSjvVVo9z/yutKfYjzf YJO2Y5Ircst76tU2AEIRU3drX+ad1lyuoSAeKWm61D9xOyAStVaC5z5lXkJpeKN2Sb8r mjRIsOLw7OBhsArg5Wt2BGpLv5CWFomjL+RnoDxk9YTrnQbXkgsi75So2YpY6EU/qjhw zu8wmEqlUiwe5xGax7dRB9O70okPJWHs9bkMed+CG9zT/O7hcTuvr6P3TNN7LHRq6FvU OlFjacL2UkbdNEOqRR4M3DSp9GyUP6NHvD+R/fQBpzQcHNVfRyMOOnkLhhZ4MyDbA8H1 wwuA== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.112.85.230 with SMTP id k6mr2832403lbz.49.1334147076401; Wed, 11 Apr 2012 05:24:36 -0700 (PDT) Received: by 10.112.106.3 with HTTP; Wed, 11 Apr 2012 05:24:36 -0700 (PDT) In-Reply-To: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> Date: Wed, 11 Apr 2012 08:24:36 -0400 Message-ID: Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) From: Kiyoshi Aman To: Kevin Chadwick Cc: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=UTF-8 On Wed, Apr 11, 2012 at 09:17, Kevin Chadwick wrote: > Any plans for a grsecurity/pax enabled kernel? As I understand it, PaX and grsec are both pretty worthless for security; William will most certainly be able to elucidate on that, but it basically boils down to the specific modifications that these two patch-sets make to the kernel being irrelevant or useless at best. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from nm12-vm0.bullet.mail.ukl.yahoo.com (nm12-vm0.bullet.mail.ukl.yahoo.com [217.146.183.246]) by mail.alpinelinux.org (Postfix) with SMTP id D6659DC14A2 for ; Wed, 11 Apr 2012 13:18:12 +0000 (UTC) Received: from [217.146.183.210] by nm12.bullet.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 13:18:12 -0000 Received: from [77.238.184.64] by tm3.bullet.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 13:18:12 -0000 Received: from [127.0.0.1] by smtp133.mail.ukl.yahoo.com with NNFMP; 11 Apr 2012 13:18:12 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1334150292; bh=X8IVMjN+8gVCky9+ZLCZ6xST5UBzxznZGfOf88wBtQg=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Subject:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=bsHzthk+0ThJn8k0gGWYAVs7MtIndu0MwOWDk74s2Zrd8WMi3ENuzxqw9BfGB+fc92kHtYUSXN2IBwez7L6HKNDm2KVeJj6kudpN0G/VqMnk5nAzeXJoylJylbYZtdP49JS3GpkoTzEITa2rp84C8pGMtunmiULZDPcdXcu3B+c= X-Yahoo-Newman-Id: 148752.52050.bm@smtp133.mail.ukl.yahoo.com Message-ID: <148752.52050.bm@smtp133.mail.ukl.yahoo.com> X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: O.JZne0VM1l1X7Rbg908ANVMaQdqymfs_B1ex3GdbvxCRdx t4ccDhfKvsR16BgjyyH0lQAsYc3MTOpKSix1PpvDA0L1OVDEvjr5QGRS41qd yO3ZFwDNKApu1rw61.Y6QcSxHAs8twrZ2.co0EpI5gTi51CeIzN8SHmftorD S_biZBGv.7s3WSicLthFuSyLxtTzjoxM5PG3em.ClgscsV4HKMJhbXat1N4u fI6i9pPhmNlDb47zGCiVrr7Q6nssUJtr0GFtrRCGJy9Gmxh_tLqr7b46bOwb 9n1FusNMK7E9VftJ4KlzYwwrj8eCtr6YkKmMiemOlP46J5WF2NdaKRcDzgOA PeQB5tv065GsjVyZf91KKN33m4gqlxUNklMgvQqB6w8SQu9ps8kLmkghwl0Q - X-Yahoo-SMTP: UxXxlhuswBC4wbdewolpwSmT1iJVzQ-- Received: from sprat (ma1l1ists@92.27.156.6 with login) by smtp133.mail.ukl.yahoo.com with SMTP; 11 Apr 2012 13:18:11 +0000 GMT Date: Wed, 11 Apr 2012 15:18:37 +0100 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) In-Reply-To: References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> X-Mailer: KeVs Mailer X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 11 Apr 2012 08:24:36 -0400 Kiyoshi Aman wrote: > > Any plans for a grsecurity/pax enabled kernel? > > As I understand it, PaX and grsec are both pretty worthless for > security; As I understand it, PAX and grsec make many known exploits fail. What grounds are you arguing this on. The fact mprotect is often disabled? --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 64EFBDC18D4 for ; Wed, 11 Apr 2012 23:27:00 +0000 (UTC) Received: by vbmv11 with SMTP id v11so1393122vbm.13 for ; Wed, 11 Apr 2012 16:27:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=sWwRDY3bjsVZGhTrDKGPEkHMkWD8qKME8huHhgGMGro=; b=GK4o/+NT/fnJzO2sGjNsOa7IjLqxCgJ4XIXKLNQQRpvjRMmNw8hhxQHtCVe+4DFcal aN2DaHG1JOabRqyZvxwnH+zeauuG9+Vdm33os9EDwRqbgPK6qgxAI1fU/yn+kzdVoRmF lWWbr6dSP2LSkgOB0YRHZRdksYKrHt6Fq+FQPERAb51jWsL/JzmF2Gge8kDYNknjQhwC Qga34Tsfi6XxIKKkz8MQd3ns+80oHU0eSX3u5xpc0aWYhhx+cDqnslDbHgJq1YSScl36 ChqjMBWYUQG7dTFT0xnvVkRVhAK0VVQ9i+zJ9850m8eK/01xPszSEakfrvXtnfi1h4UP XgLQ== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.52.65.170 with SMTP id y10mr120070vds.48.1334186820231; Wed, 11 Apr 2012 16:27:00 -0700 (PDT) Received: by 10.52.170.103 with HTTP; Wed, 11 Apr 2012 16:27:00 -0700 (PDT) In-Reply-To: <148752.52050.bm@smtp133.mail.ukl.yahoo.com> References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> <148752.52050.bm@smtp133.mail.ukl.yahoo.com> Date: Wed, 11 Apr 2012 23:27:00 +0000 Message-ID: Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) From: William Pitcock To: Kevin Chadwick Cc: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmGTaNmco/tuhR4f6DbDA6XE4DfC/U4V7yTbxmO8HVqWEVaqDQsNq2szKkDkZ4rjx+zFFgk Hi, On Wed, Apr 11, 2012 at 2:18 PM, Kevin Chadwick wrote: > On Wed, 11 Apr 2012 08:24:36 -0400 > Kiyoshi Aman wrote: > >> > Any plans for a grsecurity/pax enabled kernel? >> >> As I understand it, PaX and grsec are both pretty worthless for >> security; > > As I understand it, PAX and grsec make many known exploits fail. What > grounds are you arguing this on. The fact mprotect is often disabled? This is false. The fact that the distribution is compiled with PIE is why many known exploits fail. The fact that binaries are compiled with PIE allows the ASLR code (either in Linux itself or provided by PaX) to randomize specific segment addresses in a binary. ASLR is the reason why ret2libc attacks are not successful. Now for a discussion about PaX mprotect. PaX mprotect contains two somewhat-related components: - hardening mprotect() to enforce W^X policy: This part is actually somewhat useful: it ensures that badly written programs do not successfully request mprotect(..., PROT_WRITE | PROT_EXECUTE) by ensuring that PROT_EXECUTE is dropped or forbidden by mprotect() with errno=EPERM. However, this part can be easily written in a way where it is suitable for inclusion in the mainstream kernel and is very trivial to write. It also ensures that the stack can never be PROT_EXECUTE as a side-effect, also useful except in cases of trampoline, where you have programs with PT_GNU_STACK marking or PaX equivilant. However, there is a better approach to handling W^X, which is just to automatically drop PROT_EXECUTE anytime PROT_WRITE is requested (and also the reverse). This provides the same security and is more compatible with virtual machines like Jaegermonkey, V8 and luajit. This is the approach as taken by OpenBSD, and coincidentally is partially implemented in modern Linux kernels. Some further protection by default is desirable here, but not really important in terms of defeating vulnerabilities. - using the CS register to emulate an NX-bit on legacy x86 platforms: This part is entirely worthless, defeating the NX-bit emulation is trivial if you know what you're doing due to the limitations in the way the CS register works. To put it simply, the CS register defines the highest possible address of executable code. In other words, it should always be higher than ELF_LOAD_BASE, and should always be the size of .text. However, when you need mprotect(..., PROT_EXECUTE) then the CS register has to be modified to point to the end of your memory mapping you're marking PROT_EXECUTE. When *that* happens, everything between ELF_LOAD_BASE and the end of your PROT_EXECUTE mapping is now executable, including any mappings that lay before it. ASLR helps against this a little, because mmap() mappings are at randomized addresses, but in reality with the CS segment, the ASLR actually makes this worse. Regarding ASLR itself, I suspect PaX ASLR to be actually more weak than the default Linux ASLR with randomize_va_space=2. Thusly, there's not really any benefit to using PaX. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 1E897DC1A82 for ; Thu, 12 Apr 2012 03:19:44 +0000 (UTC) Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id D5ACF2098E for ; Wed, 11 Apr 2012 23:19:43 -0400 (EDT) Received: from web4.nyi.mail.srv.osa ([10.202.2.214]) by compute1.internal (MEProxy); Wed, 11 Apr 2012 23:19:43 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=Uiv5WlAzsHM7sX3EjurOMwhDtyg=; b=l+4 m2/urV61797zJspgraUgPy/z3bI9T0AkRz5GJFMEhEaKxYDEPSwJI1VDRsV2RdWh KXb5Ql20bPM7IiZczPQU47UlQtKQYsdt2AfjgE0elfjxLkAFcAKpBIgXAtx9nrE5 idbvbOrQwdZJZs5aGXBn5y5F/uWWOXgVZ9xY8f+I= Received: by web4.nyi.mail.srv.osa (Postfix, from userid 99) id AC5CF3C1F19; Wed, 11 Apr 2012 23:19:43 -0400 (EDT) Message-Id: <1334200783.28154.140661061298453.0B5FBB22@webmail.messagingengine.com> X-Sasl-Enc: KO8V/aXs+w39OhHuSS/GkhMQtt5b7GvQB6AELYaYlMrS 1334200783 From: Dubiousjim To: alpine-devel@lists.alpinelinux.org X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface In-Reply-To: References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> <148752.52050.bm@smtp133.mail.ukl.yahoo.com> Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) Date: Wed, 11 Apr 2012 23:19:43 -0400 On Wed, Apr 11, 2012, at 11:27 PM, William Pitcock wrote: > > This is false. The fact that the distribution is compiled with PIE is > why many known exploits fail. The fact that binaries are compiled > with PIE allows the ASLR code (either in Linux itself or provided by > PaX) to randomize specific segment addresses in a binary. ASLR is the > reason why ret2libc attacks are not successful. > ... Thank you for this detailed explanation. -- dubiousjim@gmail.com --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from nm18.bullet.mail.ukl.yahoo.com (nm18.bullet.mail.ukl.yahoo.com [217.146.183.192]) by mail.alpinelinux.org (Postfix) with SMTP id 85C53DC1A82 for ; Thu, 12 Apr 2012 23:45:42 +0000 (UTC) Received: from [217.146.183.182] by nm18.bullet.mail.ukl.yahoo.com with NNFMP; 12 Apr 2012 23:45:41 -0000 Received: from [217.146.182.75] by tm13.bullet.mail.ukl.yahoo.com with NNFMP; 12 Apr 2012 23:45:41 -0000 Received: from [127.0.0.1] by smtp106.mail.ukl.yahoo.com with NNFMP; 12 Apr 2012 23:45:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1334274341; bh=Ui5eh1oL09mLvwVz5dXG6HMTcdvrtsCRO/6MatToUPc=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Subject:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=YMpoU88IetvCq6j4vzk/PSItDAbR4yRPV6nzVMIVEZ2kRyxnHyKMz3cxDU4KdQtLx/XDDpVxgEX4T/IEDTeNTyjJRR7fnThivmRGpU2JDZzCQZx17FfgqjLagZyyMWlSMcS29TpXIG1vmp4uKxJTJxr1GDZfB+4jw9eA9fxvFus= X-Yahoo-Newman-Id: 681852.72532.bm@smtp106.mail.ukl.yahoo.com Message-ID: <681852.72532.bm@smtp106.mail.ukl.yahoo.com> X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: tV7.p3UVM1ncJ8RkxVx_iXczpR9gzutJKAUtnConmJZFZg8 d61uh7PTOsjry_AWc4eo9p5GJprwZLOMTsSi9eYI3o00AArAQBly483zH5I3 T12WgUCqz19EjQcKxQ8jsQaxx.Qj3dtt0Iqb3XA1BsxHIRzn1rb4DzPy1IVt 2i4pGrvfxvjYYEAUqYorBSzLQw9KhJ77HI6lNb6OGvaKomVaMH_Y1wE_Jhsn 27MM3hfPRkv8WNrGaOD2WBVqpe_Z95CLL7WJWzJqItFpSFQnlTUsS4iBo65Y Z1I1Bkw4l1rf00KpKiYujXbPEcd2zOs0p6Tb.kaCPZ_yoe7aSDeEv8Qc0ZAc Mkg6f10Ii2Fk44.rOQaRbwjW7QhPSgXUDf3fl6G2MYf_HsewW6BZ16Xri0xa EuBiybfyRQvQBP37cmLCPRolAbrPl4OEsMKixcFlZpHRdbZ.J7WbTqlzKWkU _fJE8Bwo2AdZWdCua0weBA.1WVe9HMG4NaNU- X-Yahoo-SMTP: UxXxlhuswBC4wbdewolpwSmT1iJVzQ-- Received: from sprat (ma1l1ists@92.27.156.6 with login) by smtp106.mail.ukl.yahoo.com with SMTP; 12 Apr 2012 16:45:41 -0700 PDT Date: Fri, 13 Apr 2012 13:47:00 +0100 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) In-Reply-To: References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> <148752.52050.bm@smtp133.mail.ukl.yahoo.com> X-Mailer: KeVs Mailer X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 11 Apr 2012 23:27:00 +0000 William Pitcock wrote: > > As I understand it, PAX and grsec make many known exploits fail. What > > grounds are you arguing this on. The fact mprotect is often disabled? > > This is false. The fact that the distribution is compiled with PIE is > why many known exploits fail. The fact that binaries are compiled > with PIE allows the ASLR code (either in Linux itself or provided by > PaX) to randomize specific segment addresses in a binary. ASLR is the > reason why ret2libc attacks are not successful. I suggest you take these things up with the pax team and spender. From what I've seen, the CONFIG options of grsec and PAX prevent exploits. I am really surprised there are so many using grsecurity and no distro anymore with a grsec enabled kernel. Excerpt from a response by the pax team on the gentoo hardened list for CVE-2012-0056. _________________________________________________________________________________ > BTW this in "vanilla" gentoo does not work because of the permission of the su > file: > ls -l /usr/bin/su > -rws--x--x 1 root root 36776 18 gen 21.31 /usr/bin/su > > readelf cannot read the address, but there can be other ways to access the > binary for example for group "disk" http://seclists.org/fulldisclosure/2012/Jan/396 > hardened gentoo is un-affected as expected (but you already know) this is not quite true, what could work against grsec is an exploit that implemented a ret2libc style exploit coupled with bruteforcing (if the target suid is a PIE). ^^^^^^^^^^^^^^^^^^^^^ i hope you're all enabling the bruteforce protection feature in grsec ;). --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id E9121DC0413 for ; Sat, 14 Apr 2012 00:47:33 +0000 (UTC) Received: by vcmm1 with SMTP id m1so3383728vcm.13 for ; Fri, 13 Apr 2012 17:47:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=QJQqpvN+mSUERz7SI1YylHSRRkusj/NoolyHGcksJD4=; b=bxD4VBa5rAXvruIzy8/q/jS3ScRnykUamx2BYN106xaA4yHHZ/d+4vwaTMrCOdMc7i a2hhprhZj7ng3A/UysZj0ufz6aM/XQ4MjFZkuF5xxFLc+1k3gdY7fPHaihX9Qntn+3e2 cDv+DLxObaE/dAHNlgKJhinudqcL05L7JQCXcsIXwsnMQ+nLhBy5OyI0b0ST4SRfQic7 tezujAW0Ucb/3rENgtKGiI4dt6uy1EBbkQXSvpdG6NHP5ISC+bE3KHp0mn1tyt9eHFxr dc+T2eSgoFbENQ/tXLUNX7oBR/6PsMYt1ODuoLYWw5A6Ogg0BZ/q0fJi4Jw+ISjga9r2 pViA== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.52.69.144 with SMTP id e16mr1292510vdu.65.1334364452707; Fri, 13 Apr 2012 17:47:32 -0700 (PDT) Received: by 10.52.170.103 with HTTP; Fri, 13 Apr 2012 17:47:32 -0700 (PDT) In-Reply-To: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> Date: Sat, 14 Apr 2012 00:47:32 +0000 Message-ID: Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) From: William Pitcock To: Kevin Chadwick Cc: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmBj+GKK9TxhvMhOgpwNGZXwH7alKjwYgk2ZG7KWIm/QV3na8q4Dte+IMi+eKwdkt51hHSW Hi, On Wed, Apr 11, 2012 at 1:17 PM, Kevin Chadwick wrote: > On Wed, 11 Apr 2012 11:16:21 +0000 > William Pitcock wrote: > >> A simple website containing information about the distribution can be >> found here: >> >> http://sonnet.dereferenced.org/ > > Any plans for a grsecurity/pax enabled kernel? > > I jumped to arch for desktops basically for glibc/flash (sandboxed in a > hardly used firefox) and am quite happy. I'll certainly keep an eye on > it though. I forgot to answer this question, because I got caught up in the other conversation. Yes -- we plan on retaining support for grsecurity/pax kernels, but they will kind of be considered for use by people who know the implications of their kernel choice. Meaning that they won't be necessarily a configuration that is recommended for use by most users as PAX can introduce problems for desktop users. I still feel that OpenBSD-style W^X is sufficient though, and could probably be upstreamed fairly easily. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from nm19-vm0.bullet.mail.ukl.yahoo.com (nm19-vm0.bullet.mail.ukl.yahoo.com [217.146.183.113]) by mail.alpinelinux.org (Postfix) with SMTP id 55891DC012C for ; Sat, 14 Apr 2012 14:04:32 +0000 (UTC) Received: from [217.146.183.182] by nm19.bullet.mail.ukl.yahoo.com with NNFMP; 14 Apr 2012 14:04:32 -0000 Received: from [77.238.184.70] by tm13.bullet.mail.ukl.yahoo.com with NNFMP; 14 Apr 2012 14:04:32 -0000 Received: from [127.0.0.1] by smtp139.mail.ukl.yahoo.com with NNFMP; 14 Apr 2012 14:04:32 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s1024; t=1334412272; bh=Z6NCB2GuickDlQ87DHr9fD1wHSYufaDfa9NGDwPgNLU=; h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Subject:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding; b=zp6BxQz5qg2YGlFL0qDK5kEKFYakzd/QVT8qCfYxS6nOanbN1tmGzP4ZYiJkHZo8fZ7m77fGksq5dCL0Byb7E0jOy7vObJ30fa+Mm4EV14UHXQTkHV+UE5LX4/L9/0ptnUGg9OVsAY6Zq/4F8McfboAVPNmiwxaWXj4araNMoW4= X-Yahoo-Newman-Id: 346105.2723.bm@smtp139.mail.ukl.yahoo.com Message-ID: <346105.2723.bm@smtp139.mail.ukl.yahoo.com> X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: FueStj0VM1kxCYcLBcDf5gVzmdvrTy2MDdca5FMPlh6rPqM cL8EYicUq43Si6eD.mEJ46HdngpShgZmy5LWyx2k_wwFFzC.vrWEJ4oXnTx5 7XsFnQKXC89hYKSDRQoRFjLaPJDx63sWz737Yz4CRHhumQiDV9vPiz_O1jqy ha7t.cWZGXz_XkpWJYMUYmC_TjD6DKzbTrkJQFH_jpbczO6tm_mJaC10OSCh y3GXpbw3RzQa2Z8DTeZw.5HCduN_H9mdmM8BizIZmVJUQ_MpJ.4CACg255ew He_nP_1mqSHyruHRcVblNyr2lUEoGDl05mOw.AZtFFhiwxpVYP2sqd8N4qRK Fb8Cpz2w.qLpMoagnTzqSb74HwuFEmsjy.s_fKKLI38ozWtQ_T9zhBHJkIS0 - X-Yahoo-SMTP: UxXxlhuswBC4wbdewolpwSmT1iJVzQ-- Received: from sprat (ma1l1ists@92.27.156.6 with login) by smtp139.mail.ukl.yahoo.com with SMTP; 14 Apr 2012 14:04:32 +0000 GMT Date: Sat, 14 Apr 2012 16:05:00 +0100 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) In-Reply-To: References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> X-Mailer: KeVs Mailer X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 14 Apr 2012 00:47:32 +0000 William Pitcock wrote: > Yes -- we plan on retaining support for grsecurity/pax kernels, but > they will kind of be considered for use by people who know the > implications of their kernel choice. Meaning that they won't be > necessarily a configuration that is recommended for use by most users > as PAX can introduce problems for desktop users. > > I still feel that OpenBSD-style W^X is sufficient though, and could > probably be upstreamed fairly easily. Your singing to me now :-). That's fair enough, I think a lot of the parts of grsecurity/PAX could happily live upstream too, but I think anyone would have a job and a half getting them in. OpenBSD is my favourite OS. Unfortunately as I don't maintain a huge number of machines, keeping the OpenBSD desktops updated wasn't really the best use of my time and the lag (though small) for updates to firefox and firefox using it's own malloc etc., kinda sealed the deal for me. I've heard some say arch linux is the new contender beating slackware as the linux with the most bsdisms. Maybe there's now one more contender for that spot? Of course with linux being the kernel, that doesn't make any sense as a sentence ;-). --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id C080EDC0413 for ; Sat, 14 Apr 2012 15:27:07 +0000 (UTC) Received: by lagv3 with SMTP id v3so3915482lag.13 for ; Sat, 14 Apr 2012 08:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/LjKGD2budoFqXhJKuQrCWN5vg0Lz8LMTLDKYE1u4QI=; b=BKG1JzeSH+kFt2pMimuLhNyyGj425zVBV7IuletPv9auS+BxtIIPhlLSu+zfnKx4tk blZC7jvU/JtD0r8SSN3XgbkHGd4OtwZQHnPgdvk5jOH0dgP0FQcGnq66+xPMZ3Z1ooOe LoY21BgKkogX+XPVPM5OxlhkqSwcaqvJ6lhzZl69vf6ayNEpzXoQsIcamQIDezBvwXQd H9XvgOm9rlxFJU8wxuCdR1egn7+4J1foE7YNHs2oodoPk6rpAtCX6yabRKpFzFFgxrC9 BT721OAhghTvXW/RQeMgn4zTYUHgtoKR+4Hm2IDi62Honj78UAtjJ3i1jKRUIIopjRBv wIvA== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.152.147.100 with SMTP id tj4mr4842990lab.39.1334417225423; Sat, 14 Apr 2012 08:27:05 -0700 (PDT) Received: by 10.112.106.3 with HTTP; Sat, 14 Apr 2012 08:27:05 -0700 (PDT) In-Reply-To: <346105.2723.bm@smtp139.mail.ukl.yahoo.com> References: <965117.94628.bm@smtp142.mail.ukl.yahoo.com> <346105.2723.bm@smtp139.mail.ukl.yahoo.com> Date: Sat, 14 Apr 2012 11:27:05 -0400 Message-ID: Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) From: Kiyoshi Aman To: Kevin Chadwick Cc: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=UTF-8 On Sat, Apr 14, 2012 at 11:05, Kevin Chadwick wrote: > I've heard some say arch linux is the new contender beating slackware > as the linux with the most bsdisms. Maybe there's now one more > contender for that spot? Of course with linux being the kernel, that > doesn't make any sense as a sentence ;-). Arch is the new Gentoo. Complete with most of the Gentoobies migrating over to it from Gentoo, as a matter of fact. (And AUR is a sick, *sick* joke.) --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Fri Mar 29 07:56:40 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from localhost (unknown [189.124.130.205]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nc@alpinelinux.org) by mail.alpinelinux.org (Postfix) with ESMTPSA id 2A9E0DC0123; Fri, 13 Apr 2012 20:52:05 +0000 (UTC) Date: Fri, 13 Apr 2012 22:52:03 +0200 From: Natanael Copa To: William Pitcock Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [announce] Sonnet GNU/Linux (somewhat derivative of Alpine) Message-ID: <20120413225203.59a84323@alpinelinux.org> In-Reply-To: References: X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.10; i686-pc-linux-gnu) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Wed, 11 Apr 2012 11:16:21 +0000 William Pitcock wrote: > Hi, > > As a side project, I have been building a GNU/Linux distribution based > ontop of some of the components of Alpine (alpine-conf, apk-tools). > It is based on glibc 2.15 and systemd, so administration is comparable > to a Debian wheezy system with systemd-sysv installed. The first Alpine Linux derivative. Very cool! I would be interested in how it compares to Alpine in terms of boot up speed, size differences and performance differences. I suppose that will have to wait til things have stabilized a bit. Thanks! -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---