On Mon, 21 Aug 2000, Steven Thompson wrote:

SuSE recommends recompiling your kernel with the OpenWall Patch for firewall servers. Which is better LIDS or OpenWall or a Combination of both patches. Will the LIDS or OpenWall break any Apps in SuSE 6.4 I won't compare OpenWall with LIDS - they are imho completly different. I'm using OpenWall stuff since 2.0.x series and never had any problems, well, at least, I did not encountered any on my systems. Please keep in mind the OpenWall patch does not protect you from every type of buffer overflow. Solar Designer mentioned this in his README - the OpenWall patch was discussed also in the Linux Kernel mailing list some month ago.

Patching the kernel with LIDS is not enough. With LIDS 0.8 you have to change teh init scripts for example. So, if your /etc is write protected by LIDS, you have to symnlink /etc/mtab to /proc/mounts and the mount command in the SuSE initscripts have to use the -n flag. See http://www.ce.is.fh-furtwangen.de/~link/security/LIDS-SuSE.php3 for more details. With LIDS 0.9 things have changed. You can write-protect /etc and give /bin/mount the capability to write to /etc/mtab. In most cases there's no need to patch the SuSE initscripts anymore. Unfortunately, I didn't had the time to update my LIDS-SuSE-HowTo (IIRC, all docu stuff for LIDS is more or less outdated). LIDS had two major bug in the past. Under some circumstances, a write-protected directory or partition wasn't write protected. With one of the latest LIDS releases non-root users did had root rights. I'm not sure if this security hole is already fixed right now - I currently do not read the LIDS mailinglist. Yes, you can run a combination of both patches (IIRC, Wim provides them at http://bofh.st/lids/). Hope this helps a bit :) best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/