That I will not argue.
BUT that is the risk you take (in my wee opinion) when you run any
"enterprise" aka stable but old and tested from here to next week for
backwards compatability OS like RHEL/SUSE Ent./Oracle Ent./AIX/Solaris/yadda
yadda yadda
The local root exploit in question does not work on my (extremely trimmed
down) Linux distro as I make a point of keeping up to date with patches and
dont run old or back ported code wherever I can get away with it.
I also run signed and encrypted binaries, so that even IF you get root
you're rootkit wont work.
No shells, not PHP/Perl/Python, binary-BSD-like-init, custom package
management system, extremely cut down Glibc (only whats needed - I use
readelf a lot lately lol), chroot jails wherever a daemon is "NEEDED" but as
a firewall all I have on there is BIND, DHCPD and SQUID (statically
compiled), XML based configuration (for the OS propper, the daemons retain
their upstream configuration methodology) that is remotely dropped as an
encrypted tarball via SFTP, hardware and software encrypted solid state
welded to the board storage, and a bare minimum of drivers compiled into the
kernel and modularity expressly forbidden at compile time.
And yes I'm paranoid... must be the Pretoria water lol
"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
Thomas Alva Edison
Inventor of 1093 patents, including:
The light bulb, phonogram and motion pictures.
On Mon, Sep 27, 2010 at 12:10 AM, Brad Tilley <[email protected]> wrote:
> On 09/26/2010 04:54 PM, Kevin Chadwick wrote:
>
> > It's occured to me that I think what Theo suggested was actually about
> > using more than one architecture, which may be a better method over
> > Linux.
>
> How many privilege escalation attacks (normal user getting a root shell)
> has OpenBSD had during the last five years? There have been several of
> these in the Linux kernel (one just this month). We tested the latest
> one and it worked against a fully-patched RHEL box that had the SELinux
> "restrictive" policy in place.
>
> I don't mean this as bashing Linux, just pointing out facts. I think
> history shows that OpenBSD has a better track record here (if that means
> anything to anyone).
>
> Brad
