On Thu, May 24, 2007 at 04:32:24PM +0200, Németh Tamás wrote:
Dear openSUSE developers or Experts!
In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
We have a selected set of packages (but not all) compiled as PIE since 10.1. The kernel has various parts of ASLR: - MMAP and Stack location: is in the kernel since 10.1 - PIE binaries location: is not in the mainline kernel yet, so we do not have it. We are however working on bringing binary location randomization into the mainline kernel.
-openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively?
All AMD64 systems, all x86 systems with the "bigsmp" kernel if the hardware supports it, not sure about the other architectures (PPC, S390, IA64...). We do not support Software NX. Almost all packages use non-executable heap and stack. Exception are binary only packages, OpenOffice_org and some other minor packages.
-openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective?
Not at this time, the performance cost was considered too high.
-openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel?
For those we do not have additional protection features. http://en.opensuse.org/Security_Features has a summary. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org