Linux SoftwareSystemOperating Systems KernelsOpenwall Linux kernel patch 2.4.33-ow1

Openwall Linux kernel patch 2.4.33-ow1

Openwall Linux kernel patch is a collection of security-related features for the Linux kernel, all configurable via the new 'Sec
Developer:   Solar Designer
      more software by author →
Price:  0.00
License:   GPL (GNU General Public License)
File size:   34K
Rating:   0 /5 (0 votes)
Your vote:  
enlarge screenshot

Openwall Linux kernel patch is a collection of security-related features for the Linux kernel, all configurable via the new 'Security options' configuration section. In addition to the new features, some versions of the patch contain various security fixes.

The number of such fixes changes from version to version, as some are becoming obsolete (such as because of the same problem getting fixed with a new kernel release), while other security issues are discovered.

Non-executable user stack area.
Most buffer overflow exploits are based on overwriting a function's return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow vulnerabilities become harder to exploit.

Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()'ed at to make it always contain a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings.

However, note that this patch is by no means a complete solution, it just adds an extra layer of security. Many buffer overflow vulnerabilities will remain exploitable a more complicated way, and some will even remain unaffected by the patch. The reason for using such a patch is to protect against some of the buffer overflow vulnerabilities that are yet unknown.

Also, note that some buffer overflows can be used for denial of service attacks (usually in non-respawning daemons and network clients). A patch like this cannot do anything against that.

It is important that you fix vulnerabilities as soon as they become known, even if you're using the patch. The same applies to other features of the patch (discussed below) and their corresponding vulnerabilities.

Restricted links in /tmp.
I've also added a link-in-+t restriction, originally for Linux 2.0 only, by Andrew Tridgell. I've updated it to prevent from using a hard link in an attack instead, by not allowing regular users to create hard links to files they don't own, unless they could read and write the file (due to group permissions). This is usually the desired behavior anyway, since otherwise users couldn't remove such links they've just created in a +t directory (unfortunately, this is still possible for group-writable files) and because of disk quotas.

Unfortunately, this may break existing applications.

Restricted FIFOs in /tmp.
In addition to restricting links, you might also want to restrict writes into untrusted FIFOs (named pipes), to make data spoofing attacks harder. Enabling this option disallows writing into FIFOs not owned by the user in +t directories, unless the owner is the same as that of the directory or the FIFO is opened without the O_CREAT flag.

Restricted /proc.
This was originally a patch by route that only changed the permissions on some directories in /proc, so you had to be root to access them. Then there were similar patches by others. I found them all quite unusable for my purposes, on a system where I wanted several admins to be able to see all the processes, etc, without having to su root (or use sudo) each time. So I had to create my own patch that I include here.

This option restricts the permissions on /proc so that non-root users can see their own processes only, and nothing about active network connections, unless they're in a special group. This group's id is specified via the gid= mount option, and is 0 by default. (Note: if you're using identd, you will need to edit the inetd.conf line to run identd as this special group.) Also, this disables dmesg(8) for the users. You might want to use this on an ISP shell server where privacy is an issue. Note that these extra restrictions can be trivially bypassed with physical access (without having to reboot).

When using this part of the patch, most programs (ps, top, who) work as desired -- they only show the processes of this user (unless root or in the special group, or running with the relevant capabilities on 2.2+), and don't complain they can't access others. However, there's a known problem with w(1) in recent versions of procps, so you should apply the included patch to procps if this applies to you.

What's New in This Release:
  • This release was updated to Linux 2.4.33.
    tags the patch  buffer overflow  return address  the stack  overflow vulnerabilities  the same  special group  note that  unfortunately this  this option  you might  the permissions  this release  

    Download Openwall Linux kernel patch 2.4.33-ow1

    Authors software

    John the Ripper 1.7.2 (by Solar Designer)

    Openwall tcb suite 1.0 (by Solar Designer)
    Openwall tcb suite package contains core components of our tcb suite implementing the alternative password shadowing scheme on Owl.

    crypt_blowfish 1.0.2 (by Solar Designer)
    crypt_blowfish is a modern password hashing for your software and your servers.

    This is an implementation of a modern password has

    pam_mktemp 1.0.2 (by Solar Designer)
    pam_mktemp is a PAM module which may be used with a PAM-aware login service to provide per-user private directories under /tmp as a p

    scanlogd 2.2.6 (by Solar Designer)
    scanlogd project is a system daemon which attempts to log all portscans of a host to the syslog, in a secure fashion.

    This release

    Similar software

    Openwall Linux kernel patch 2.4.33-ow1 (by Solar Designer)
    Openwall Linux kernel patch is a collection of security-related features for the Linux kernel, all configurable via the new 'Sec

    diskio patch 2.4.27-1 (by Alan Swanson)
    diskio patch is a kernel patch.

    The 2.4.X kernel doesn't report disk IO in /proc/stat for any devices over either major 16 or mino

    Adamantix 1.1.0-pre15 (by Adamantix Team)
    Adamantix project aims to become a highly secure but usable Linux distribution

    PaX 2.6 (by The PaX Team)
    PaX is a kernel patch implementing additional security feature - non-executable memory pages

    ImSafe 0.2.2 (by Laurent Eschenauer)
    ImSafe (Immune Security For your Enterprise) is a host-based intrusion detection tool

    LIDS 2.2.2-2.6.14 (by LIDS Team)
    LIDS (Linux Intrusion Detection System) is a kernel patch and admin tools which enhances the kernel's security by implementing Mand

    Gringotts-Shlomif Patch 0.4.3 (by Shlomi Fish)
    Gringotts-Shlomif Patch is a patch for the Gringotts encrypted note manager for Linux, by Germano Rizzo

    IP Personality 20020427-2.4.18 (by IP Personality Team)
    The Linux IP Personality patch adds to your Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to c

    WSL 0.3 (by Brian Schau)
    The Sitecom Wireless Security Lock is based on the Cypress Ultra Mouse

    Linux IP Firewalling Chains 1.3.10 (by Jos Vos)
    Linux IP Firewalling Chains is an update to the 2.0 Linux Firewalling code, for the 2.2 Linux kernel

    Other software in this category

    KernelDriver 5.22 (by omerz)
    KernelDriver™ for Linux automates and simplifies the development of kernel mode Linux device drivers for PCI / CardBus / ISA / ISAPnP

    uLan Driver 0.7 (by Pavel Pisa)
    uLan provides 9-bit message oriented communication protocol, which is transferred over RS-485 link.

    Characters are transferred sam

    Linux Kernel (by Kernel.Org Organization, Inc.)
    Linux Kernel is the essential part of Linux, responsible for resource allocation, low-level hardware interfaces, security, simple com

    Migshm 2.4.26-2 (by The Migshm team)
    Migshm is a DSM patch for openMosix

    Realtime Application Interface 3.4 (by RTAI Team)

  •     search

    Featured Software

    jEdit 4.3 pre8
    jEdit is an Open Source text editor written in Java

    Opera 9.02
    Surf the Internet in a safer, faster, and easier way with Opera browser

    GNU Aspell 0.60.4
    GNU Aspell is a Free and Open Source spell checker designed to eventually replace Ispell

    Top tags