Security advisory for removing setuid programs.

Kfir Lavi kfirlavi at actcom.co.il
Wed Nov 26 12:46:54 PST 2003


Archaic wrote:
> On Wed, Nov 26, 2003 at 12:57:35PM +0100, Nico R. wrote:
> 
>>I think some changes like the read-only filesystem should go into the
>>LFS book as well, since they do not cause any harm (as far as I can
>>think of), are rather easy to implement (a sed/patch for glibc and a
>>symlink, IIRC?) and are really useful...
> 
> 
> No. I'm actually talking about a new book. This stuff isn't the goal or
> purpose of LFS.
> 
> 
>>Another thought, what about gcc security patches like the one(s?) used
>>in OpenBSD? To prevent stack overflows.
> 
> 
> ashes and I have been doing test builds. He's contacted maintainers and
> such and has written a hint for propolice. It's pretty solid, but
> ongoing.
> 
I think SLFS is integral part of the LFS system, because if we compile 
LFS and then start securing it, we will have to compile again, so we 
will have to have a mechanizem for eliminate junk between compilations. 
This in it self can be a security bridge.
We need to test every program that has security patch after applying 
them, and integrate it to LFS.
This is the same routine as LFS current workings.
This will make LFS, not just the Linux of choice, but also the most 
secure... (LFS 9...11...) ;)

-- 
Regards,
Kfir Lavi

IRC Nick: rommanissi




More information about the lfs-security mailing list