Dear Tru64 Unix Managers,
I have been slow in summarising because I have received little new
information other than what has been said on other threads. Anyway
thanks to
Arrigo Triulzi
Richard L Jackson Jr
John P Speno
for replying.
My original 3 questions were:
(1) It appears that at some point (3.2->4.0?) Compaq switched from a
non-executable stack to an executable one, thus losing some very valuable
security protection. Presumably there was a good reason for doing this:
what was it?
(2) Would it be technically possible to make it a loader option so that
only those applications that needed an executable stack got it?
(3) If (2) is not possible did Compaq consider making it a boot-time
option and documenting which applications needed an executable stack so
that sites could decide whether they needed to take the risk?
I didn't get an authoritative answer from Compaq for any of these
questions. But Arrigo Triulzi and Lamont Granquist believe that the
Java implementation requires an executable stack, and maybe some
versions of gcc as well. To me the Java answer is more plausible
because gcc has been around for a long time and appeared to work on DU
3.2.
The Readme for the SSRT0583Q fix says that the patch only protects
suid programs. But I have run Lamont's test job and can confirm that
the patch protects other programs run as root (assuming Lamont's test
is valid, and there seems no reason to doubt it). This means the patch
provides a lot of extra security, though there is presumably a price
to be paid in not being able to develop Java as root. That price is
almost certainly acceptable, but I think Compaq ought to be more
up-front about it.
As Lamont has said, there is still a potential vulnerability with
non-root daemons (e.g. web servers). In my opinion this hole is very
small compared with what we had a few weeks ago, but a high security
site would have to be concerned about it.
Bob
--
==============================================================
Bob Vickers R.Vickers_at_dcs.rhbnc.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhbnc.ac.uk/home/bobv
Phone: +44 1784 443691
Received on Thu Apr 29 1999 - 09:52:23 NZST