back to article Bug in latest Linux gives untrusted users root access

A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Blame

    I would imagine its probably Microsofts fault.

    Linux rocks!!!

  2. Marvin the Martian
    Pint

    "I picked it out two weeks before the people whose job it is"

    Hurrah for weasel words. Have you considered a job in politics?

    Obviously there's hundreds of people doing exactly what he does, most find almost nothing, together they find a fraction of the bugs found by "those whose job it is" (as well as not repairing them).

    It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

  3. Anonymous Coward
    Thumb Down

    Security schmekurity

    So this is why I never could make Wine work on my Fedora. Linux desktop for the masses my foot. Gimme less security, not more.

  4. J 3
    FAIL

    Fail

    Wine is not a desktop environment, as many other commentards are likely to have pointed out before me.

  5. Anonymous Coward
    Stop

    Ehhh?

    "A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

    The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable"

    Then....

    "The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"

    Make your minds up!

  6. Neoc

    And cue Linux bashing...

    ...in 3... 2... 1...

    Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs. However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX.

    Good, bad? The choice is yours. I personally run Windows XP on my desktop and Ubuntu Linux on my web/mail servers at home - use the tool best suited for the job sort of thing.

  7. Anonymous Coward
    Joke

    Linux suxx0rs

    OMG ANUTHER bug?!!? ycant thees ppl lrn 2 chk there codes b4 releesig it?1/1 Linux just suxxors!! Linuxs got more holes then swis ches now. y does ppl stil use that gabrage U shuld all switch to a BSD they gots waaaaay more seccurrity and more sable too.

    </parody>

    Just thought I'd try a parody of the usual post found in Windows security issue comment threads.

  8. Anonymous Coward
    WTF?

    Not this guy again

    This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.

    If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.

    While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.

    In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,

    it wouldn't take more then an hour to fix and for the most part they bomb correctly.

    The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.

    Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096

    or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.

    Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms

    And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042

    Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.

  9. David 141
    Linux

    Easily fixed

    What you really need to know:

    http://kbase.redhat.com/faq/docs/DOC-18042.

    Or a clear description of the setting:

    http://wiki.debian.org/mmap_min_add

    Pretty trivial really. Mr Spengler is starting to sound a lot like chicken little.

  10. Geoff Mackenzie

    Bit of an alarmist headline

    All my boxen are fine.

  11. Red Midnight

    I'm still laughing

    Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:

    If anyone wants a choice quote from me about the recent Linux holes,

    this is what I have to say:

    Linus is too busy thinking about masturabating monkeys, he doesn't

    have time to care about Linux security.

    For the record, this particular problem was resolved in OpenBSD a

    while back, in 2008. We are not super proud of the solution, but it

    is what seems best faced with a stupid Intel architectural choice.

    However, it seems that everyone else is slowly coming around to the

    same solution.

  12. Pete 8
    Troll

    Ewww

    Very nasty indeed.

    Luckily for most, Windows® doesnt have that 'feature'.

    I have a mate who will already be pissing blood over this - hahaha you hippie, thats what you get for going to uni!

    Cupcake anyone, while we watch the Trolls and Fanbois over-react?

  13. Daniel 19
    Thumb Down

    Worst comment ever

    "It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff,"

    What is the point of saying this???? This just proves open source is working. Presumably he is about as likely to find a flaw as anyone else (discounting different levels of smarts). If this was Microsoft and he was finding bugs with fuzzing or what not then he would have a point. The purpose of Linux is to rely on users like himself to find these bugs. Open source is working, move along.

  14. Anonymous Coward
    Anonymous Coward

    Ha

    Some say that *BSD is for those who love Unix and Linux is for those who hate Windows. Might also add to the linux side, "doesn't give a shit about security"

    Who has time to worry about root exploits when sodding Word 2007 runs?!?

    http://marc.info/?l=openbsd-misc&m=125729287502801&w=2

  15. Macka

    Upgrades can be slow on the ground

    For many commercial customers, upgrading immediately to the latest bug fix releases of the kernel is not a realistic option. For example if you use OCFS2 you might have to wait a little while for them to update their kernel modules. Or if you're an HP customer and use their Proliant Support Pack with their updated drivers you also have to wait for a version to be released that supports the kernel you want to move to. Typically this happens about every 3 months and they will always lag behind the the very latest kernels because kernel releases are a moving target and HP have to stop at some point to QA before they do a release.

    I can't speak for IBM or Dell as I don't have any experience with those vendors. Would be interested to hear from anyone who does.

  16. Big-nosed Pengie
    Linux

    OMG!

    Linux behaving like Windwoes?

  17. Anonymous Coward
    Grenade

    if only

    they had written the kernel in ADA instead of that half-arsed 'c' language

  18. Flocke Kroes Silver badge

    Spengler cries wolf again

    As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf".

    WINE is for running Windows programs on a Linux box, but it has limitations. Last time I read about it, WINE was unable to install or run Windows malware correctly.

    Closed source drivers can cause some hassle (none in this case). If some kit provides so much benefit for you that it is worth the hassle, ask the supplier to provide a minimal open source wrapper around a binary blob like nVidia have for years.

  19. ElReg!comments!Pierre
    Thumb Down

    Latest Linux? Or just old Red Hat?

    Your headline is more than misleading: the latest -and not-so-latest- Linux is indeed fully patched, only Red Hat left a hole in there, which is actually not even there anymore in their "latest" (as you put it) release. So "Bug in latest Linux gives untrusted users root access" actually reads "Hack in old RHEL gives users root access". And even so, coming from the guy who discovered that a person running programs as root can get root access (Shock! Horror!), I have my doubts.

  20. Anonymous Coward
    Grenade

    @ NOC

    indeed, this could not happen to windows and os X.

    no source to look at

    lmho

    rg

  21. Neal 5

    OMG, you Linux boys

    Head..................Sand

  22. MacroRodent
    Linux

    Really seems to be MS compatibility hitting you

    From article: "or desktop environments such as Wine."

    Wine is not a desktop environment, but a Windows emulator. It needs a Windows-compatible insecure memory layout. There are also some "ported" programs that use a bundled version of Wine underneath. True Linux programs (including Linux desktop environments like Gnome) don't care about the mmap_min_addr setting. So this is a case of getting insecurity for catering to Windows-originated software.

  23. bell

    Schmekurity economics

    Security features do not happy end users make - as nicely demonstrated by AC@22:00, and the comments about redhat breaking the feature on purpose. End users are made happy by more features, which require more development effort, which requires lower barriers to entry.

    If you're playing market catchup (as Linux is on the desktop) then this may mean loosening things up to make emulations, wrappers and crude ports work. I must presume that the sco binary wrappers that eased Linux server uptake 10 years ago had some similar requirements.

    The other area for lowering barriers for entry is making things easier for developers. This was a major part of how Microsoft won PC/Mac round 1 in the 80s. I'd be surprised if this wasn't also part of the RHEL decision. Easier for developers means allowing them to be a bit sloppier, or making them jump through fewer hoops to achieve a goal that would be hugely painful to reach correctly (pulseaudio seems to fit into this bucket).

    I think that the Linux kernel team have made some better tradeoffs in this regard than the Windows team, with de Raadt and company just refusing to play. It's a factor in the fight for desktop marketshare, and unfortunately it's not in Linux's favour.

  24. Gannon (J.) Dick
    Headmaster

    Improbable

    @By Marvin the Martian Posted Tuesday 3rd November 2009 21:16 GMT

    It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

    =========================

    What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct.

    The quest to know what I'm talking about has been downsized to an epic scavenger hunt ... could you help me out ?

  25. Gordon Ross Silver badge

    @David 141 - URL Typo

    The correct URL is http://wiki.debian.org/mmap_min_addr

  26. Anonymous Coward
    Linux

    Fedora is OK, apparently

    > "As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."

    On Fedora 10, with no sysctl tweaks at all, I get a result of 65536. Everything works too, including pulseaudio.

  27. Anonymous Coward
    Linux

    CentOS is OK, too, apparently

    Me again ...

    Running "sysctl vm.mmap_min_addr" on a default CentOS 5.3 install gave the same result as Fedora 10 (i.e. 65536).

  28. Loki 1

    local exploit?

    Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.

  29. dave lawless
    Boffin

    memmap & root

    There's your problems right there, design faults.

  30. Defiant
    Grenade

    Get a life

    OMG even when the article is purly Linux related the geeks can't help but bring Windows into it. You people should get a life..........

  31. spegru
    Linux

    This is a surprise

    The Reg seems to be going overboard with its balance of views regarding Windows vs Linux this week.

    This is good as it gives more cred to the good stuff.

    Also good to note that it seems only RHEL due to the other Distro's correct implementation of the mmap_min_addr feature and that the bug has already been fixed in the latest upcoming 2.6.32 kernel.

    I wonder how long it would have taken Apple or MSFT to fix something like this.

  32. Anonymous Coward
    FAIL

    Redhat oopsie

    oooh, the one with the most enterprise grade solutions in FTSE organisations too...

    egg....face...interaction.

    As a side note... I thought LINUX was superior in every way, was completely secure and would *never* be victim of the same mistakes/bugs that befall Windows or OS X?

    My linux is certainly 100% secure...I can't get the damned thing to run X, so a permanent "power off" state is in effect. Formatting with Win2k8 will be a lot less painful than a descent into CLI hell trying to get display drivers to work in LINUX.

  33. Anonymous Coward
    Anonymous Coward

    Re: I'm still laughing

    "Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:"

    Ah yes, OpenBSD, the project that gave us OpenSSH and its remotely-exploitable root exploit.

    Of course bugs are discovered in software. But when that happened, you might have expected the openssh.com website to have a big red warning saying there was a critical problem and telling people to upgrade urgently. Did they? Nope. The announcement is buried in the smallprint at http://www.openssh.com/security.html in weasly negative-speak:

    "OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable."

  34. Filippo Silver badge
    Flame

    Meh

    A small issue. Noone is going to bother writing a virus that targets Linux anyway.

  35. DavidRobertRoy

    @Anonymous Coward

    Most of Mac OS is opensource including the kernel you can download it and look though it all you want.

  36. Grease Monkey Silver badge

    Job?

    He spends his free time looking for minor security holes in the Linux kernel does he? Either he's hoping some security firm will give him a job or he's already being paid by somebody to do it.

    Whinging about developers not finding the bugs won't help his case much when many of those developers give their time for free and contribute much more than he does, by actually coding. His hobby, it appears, is floccinaucinihilipilification. Finding a couple of minor holes hardly justifies all the crowing he's doing. From the way he's gobbing off you'd think he'd single handedly fixed several major holes, where as all he's done is discovered a couple of minor ones.

    Time, I think, that he got himself a sense of perspective - a little lesson of "world big, you tiny" is required.

  37. copsewood
    Boffin

    @Neoc - Windows open to black hats

    "However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX."

    Not the case. OSX is open source except for desktop cosmetics. One of my work colleagues put a Windows source CD on my desk, made available under Microsoft's "Shared Source" program. I haven't read it, because I don't want Microsoft suing me for copyright or patent infringement if I contribute anything they consider similar to an open source program. To sell Windows to government and security sensitive environments, MS wouldn't make these sales without disclosing source. So Windows users are not protected from code review because of Microsoft's inability to keep source code in house.

    This gets worse, because black hats who have no intention of contributing to open source have access to Windows source code and white hats, who also technically have access, for reasons given above are unlikely to want to read it unless paid by employers with very large security budgets specifically to do so.

  38. Anonymous Coward
    Grenade

    The Solution

    The world needs a new OS.

    Not a new version of Windows, MacOS, Linux, Unix, OpenVMS, OS400, zOS, or anything else.

    It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces. Start with the very basics and build it up. If everything at lower levels is secure, there's no reason everything added can't be secure

    Why not? Expensive.

    And I bet it still has bugs and holes!

  39. Greg J Preece

    Already patched?

    I fully expected the issue to be patched by the time I finished reading the article, but it turns out it was patched before I even read the headline.

    You'll forgive me if I don't panic.

  40. Anonymous Coward
    Linux

    It's been mentioned before, but it's worth re-iterating

    What most of the people bouncing up and down and pointing "you're insecure" fingers at Linux fail to realise is the nature of this exploit.

    It's a local root exploit: that is you have to be running code on the machine in order to take advantage of the problem.

    How do you do that? Well, you persuade someone to download and run some malware on the machine. Good luck with that, it's not impossible but I'm sure you'll find some gullible idiot somewhere on the net. On the other hand, that gullible idiot is likely to fall for more overt trickery (eg don't use two-factor authentication, it's not secure because you don't need a password).

    Server admins aren't in any particular hurry to patch local root exploits because the unwashed masses aren't allowed anywhere near the machine ....

  41. TeeCee Gold badge
    Troll

    @Pete 8

    "Cupcake anyone, while we watch the Trolls and Fanbois over-react?"

    Thank you, don't mind if I do.

    Mmmmm. Cake....

  42. Anonymous Coward
    Anonymous Coward

    linux fanboys in predictable response shocker

    You Linux fanboys make me laugh. Well, you would if you weren't so sad.

    You forever moan about windows running in admin mode, yet when it comes to linux you write:

    "Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."

    You laugh whenever there is a windows exploit, yet when it comes to Linux, you write:

    "Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs."

    This is why people in the real world don't take you seriously.

    Anyway, is Linux still alive? I thought everyone moved to BSD a long time ago....

  43. Anonymous Coward
    FAIL

    Blinkered.

    I love the LINUX fanboi's response to LINUX problems like this. Rational, reasonable, stating sensible facts, and mitigations thereof.

    The very same people who scream like little girls about Microsoft doing anything similar, as if the greatest offence in the history of mankind had been commited and is completely unforgivable.

    Software development is the one of the most complex tasks mankind has ever undertaken, there will always be vulnerabilities in code, stop being arses thinking your precious littel hobbyist operating systems are any different.

    Blinkered, idiotic losers. You really are.

  44. Ken Hagan Gold badge

    @Gannon (J.) Dick

    "What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct."

    I don't think it is any of the accepted "logical fallacies". I usually call it a "selection effect" (and wikipedia calls it a "selection bias"). I suppose it might be a "post hoc ergo propter hoc" thing, but it really ought to have a name, suitably dripping in ridicule, because it happens far too often IMHO. How about "placing your bet after the end of the race"?

  45. Anonymous Coward
    Pint

    @The Solution

    Secure OS? Well, it would work with just a secure kernel, really, as long as modules like drivers run in a less-privileged layer and there are sufficient monitoring functions in said secure kernel.

    Aussi boffins are already on the way to doing that:

    http://www.theregister.co.uk/2009/08/17/secure_kernel/

  46. crypt
    Joke

    Local user exploit - no longer exploitable

    ..and now for the weather

    A storm that has been brewing tor several months has now broken over a small teacup in a shed in finland..................

  47. Anonymous Coward
    Boffin

    Why Linux fanbois are right

    "You forever moan about windows running in admin mode, yet when it comes to linux you write:

    Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.

    The reason they say that is because of the extra difficulty to remotely exploit Linux when compared to Microsoft operating systems. See Metasploit.org for details.

  48. Joseph Bloe

    Attention whore

    Of course, Spengler is nothing more than an attention whore.

    Why else would someone take an issue with the NSA (you know, the MAKERS of SELinux), to the kernel developers?

  49. windywoo
    Jobs Horns

    When will Reg disable Anonymous comments?

    They rarely contribute anything of worth.

  50. AndrueC Silver badge
    Boffin

    It's not rocket science.

    "As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."

    Ah yes, no problem. Obvious to anyone really. You just have to sparkelate your griblets and verify that the munxing mask has a value of 37. It goes without saying that you use the dhyef.fgrtty utility to fix it.

    Sigh.

    The bug itself is just one of those things that happens sometimes (and apparently less often with Linux than Windows) but the above quote is why Linux will never win against Windows in the home environment. In a server environment it's tolerable to have esoteric commands and config files and reasonable to expect administrators to know how to use them. Back in the real world where 90% of computers operate it isn't.

    In fact I'd go further and say that that kind of thing is a potential Achilles heel for Linux. 'Security through obscurity' never was very effective but 'sbscure security configuration' is worse.

  51. Baying Lynch Mob
    Thumb Up

    No distribution hacking required, already fixed upstream

    ``On October 22, he wrote a proof of concept attack for the local root exploit.''

    That's more than four months *after* the patch that fixed it (setting mmap_min_addr to non-zero) was committed to the kernel:

    http://lkml.indiana.edu/hypermail/linux/kernel/0906.0/01475.html

  52. Chronos

    NULL pointer derefs

    The problem with so-called "Security Enhanced" Linux is that it re-enabled userland access to page zero (why? Who knows) while the mainline kernel explicitly denied mapping to anything below 0x1000. This raised NULL pointer dereference issues from a simple DoS to a privilege escalation issue. The same thing bit FreeBSD not so long ago and we now have a sysctl (security.bsd.map_at_zero, disabled on legacy releases but enabled by default on > 8.0-Beta) to disable userland mmap to page zero. Whether SELinux still allows zero page mapping or not I don't know.

    Theo has quite a good analysis of this sort of problem here:

    http://www.openbsd.org/papers/ven05-deraadt/index.html

    As for being a local issue, this means local as in local user, which includes anyone with SSH access or using any exploit that allows executable code injection with local user credentials. Attackers do not need physical access, so the mantra "If someone has access to your box, it's not your box any more" does not apply here.

  53. Seanie Ryan
    Pirate

    paper

    this is exactly the reason why i stay away from computers completely.

    pen & paper rocks... (but only the paper with an apple logo in the bottom corner.... ;-) )

  54. Jamie Jones Silver badge
    FAIL

    @windywoo

    Haha, there have been some good 'anonymous coward' posts in this section - making some good points.

    Your problem, I assume, is that they are anti-Linux?

  55. Peter Gathercole Silver badge
    Thumb Down

    @AndrueC

    Not sure which camp you're in, if you're a windows user, I guess that the Windows Registry is clear and understandable to you.

    The number of MS Technotes that start with something like "Open the registry editor, find key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun

    and set to 0xFF or whatever bitmap disables autorun on the device in question according to the following table..." followed by the table with hex numbers in it for each of the devices windows can use.

    This is a REAL example, and would be only be slightly less meaningful if it were written in Russian to someone like my wife. And have you tried to work out how some services and background tasks get started on Windows!

    The crux of the matter is that complex operating systems require complex configuration. It's just that most people never see the Windows stuff, because it is hidden. When you need it, it is equally cryptic, regardless of the OS.

    I'm sure that OSX and BSD have equally arcane incantations, but then so did RiscOS, OS/2 and probably NeXT and BeOS.

    Of course, we could have all he configurations stored in XML (shudder), in which case it would be almost impossible to change any system configuration settings without the correct tool.

  56. Gannon (J.) Dick
    Boffin

    @Ken Hagan

    re: a name for the "selection effect"

    How about "Don't blame the dress"

    ("Does this dress make me look fat?")

  57. Anonymous Coward
    Linux

    @Chronos

    I'm not sure if you're referring to the current vulnerability when you mention SELinux and userland page 0 access, but, the checks I ran on Fedora 10 and CentOS 5.3 (see above comments) were both with SELinux enforcing.

  58. Anonymous Coward
    Thumb Down

    What you really meant to say. . .

    "When will El Reg disable anonymous comments. They rarely contribute anything of worth"

    =

    "Censor everything that says anything bad about LINUX".

  59. ElReg!comments!Pierre
    Flame

    The world doesn't need a new OS (@AC 11:11 GMT)

    "It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces."

    VMS?

    A few of these exist. The problem is that the buyers (be it Joe Bloggs for his living room machine or James Greenbackz for his multi-billion dollar company) *demand* shiny interfaces and groovy stuff with touchy-feely user-friendliness all round (talking puppy! Yay!). And they don't give a shit about security.

    The world doesn't need a new OS, the world needs new users (preferably leading-L-free).

  60. spegru
    Thumb Up

    Mine seems ok

    Just tested the "sysctl vm.mmap_min_addr" command on my Linux Mint box (not as root mind you - I'm no hacker so didnt want to risk a reg forums comment to root!)

    Anyway, ot the response "vm.mmap_min_addr = 65536", not 4096.

    So I guess it's fine and that therfore presumably ubuntu 9.04 (on which Mint 7 is based) is also ok.

    Looks like this is a lot of fuss about nothing.

    Good to see the attention Linux is getting though!

  61. jake Silver badge

    @Gannon (J.) Dick

    "("Does this dress make me look fat?")"

    No, Ralph Lauren makes you look fat.

    How about "The Ralph Lauren bias"? ;-)

  62. Flocke Kroes Silver badge

    @Filippo

    Filippo: "A small issue. Noone is going to bother writing a virus that targets Linux anyway."

    After all, noone would want to root paypal and divert lots of money to themselves.

    Try some other big names like google or yahoo with something like: http://uptime.netcraft.com/up/graph?site=www.paypal.com

  63. vincent himpe
    Coat

    mine returns 42

    does that mean the ultimate questions of life the universe and everything is sysctl vm.mmap_min_addr ?

    poof there goes the universe ...

  64. AndrueC Silver badge
    Badgers

    Pitch your tent :)

    What camp am I in? The camp of a software developer and home user who just wants someone to pay him to write code and for stuff to work with minimal faffing around. At the moment Windows is achieving that for me on both counts :)

    If computers were still a hobby to me I'd have Linux on my server and would spend all evening neck deep inside config files..but I grew out of that. I don't mean to be rude - just the way it is. I've been in the 'alternate OS camp' once - I was an OS/2 Warp fanatic back in the day. I just don't see the point in being different at the moment nor spending time configuring my system.

    I would like to see Linux supplant Windows (I learnt computing on *IX and technically I much prefer the architecture). My complaint is simply that *IX peeps /don't get it/. Until/unless *IX becomes as easy to use as Windows it ain't going to win.

    Then again the day *IX becomes that easy is likely the day when it becomes bloated with pointless crap and full of security holes from services sitting there waiting for the blue moon when someone needs them.

    I don't think Windows is the way it is because MS employ idiots. I think it is the way it is because it's flexible, carries a lot of historical baggage and tries to save the user from complexity. Maybe you can be both secure and easy to use but sadly I have my doubts.

    Badger paws because I'm turning into an old git and El Reg don't give us a Victor Meldrew icon :)

  65. Mike Gravgaard

    ubuntu 9.10

    Well Ubuntu 9.10 x64 is set to:

    mike@mike-ubuntu:~$ sysctl vm.mmap_min_addr

    vm.mmap_min_addr = 0

    but then if someone got local access they could get root access I'm sure, it all depends on how much time they have.

    Mike

  66. Jamie Jones Silver badge

    @ Flocke Kroes

    Everyone knows that Yahoo run FreeBSD

  67. Gannon (J.) Dick
    Happy

    @jake / selection bias

    "Ralph Lauren Bias" ... I like it. Highlights the weak relation to the Daltrey/Townshend Corundum (Who Are You/My Wife).

  68. James Butler
    FAIL

    We don't need no steenking research!

    On my Linux boxen (Fedora 4-10) I'm seeing that mmap_min_addr is set to 64k by default ... the recommended fix for this security issue. I'll bet that every other distro besides RHEL (as noted in the article) also has mmap_min_addr set to something other than 0.

    Methinks it's a slow news day, or else this researcher reallyreally wants people to take him seriously. The author could take a few minutes to do some actual research, as well. Torvalds was right ... this isn't a kernel problem, and it looks to be pretty much a non-issue, contrary to the alarmist headline.

    And to you freaks who are taking this opportunity to slam Linux ... your ignorance is showing.

  69. mehfeh

    @AC

    "Anyway, is Linux still alive? I thought everyone moved to BSD a long time ago...."

    Aye, it's probably still alive.

    http://www.google.com/trends?q=bsd%2C+ubuntu

  70. David 141
    Linux

    DOS and Win-16

    @Kronos

    "The problem with so-called "Security Enhanced" Linux is that it re-enabled userland access to page zero (why? Who knows)"

    The main reason seems to be to allow DOS and 16 bit Windows programs to run on Linux under WINE. These are ancient programs designed for a single user machine with no concept of security or memory management. (I'd be interested to see if these programs still run on 64 bit versions of Windows - my experience with them is that often they don't).

  71. Ole Juul

    This is only FUD

    I just checked my unpatched Ubuntu box here and that vulnerability isn't there. The guy that "found" this doesn't know what he's talking about.

  72. David Cuthbert

    Secure OS from scratch...

    Actually, this largely describes the NT kernel. All kernel objects are security-aware, and access is controlled using appropriate ACLs (rather than an overly powerful superuser).

    It was well engineered -- perhaps even over-engineered, and somewhat hard to use. This (in part) led to the rest of the operating system requiring you to run with escalated privileges (Administrator) to do anything useful, an unfortunate design decision which eventually gave birth to UAC to fix.

  73. Anonymous Coward
    Anonymous Coward

    @ Mike Gravgaard, 19:00

    > Well Ubuntu 9.10 x64 is set to (...) 0

    The problem lies with Wine packages for Ubuntu - they quietly install a new file in /etc/sysctl.d/ which overwrites Ubuntu's default setting (65536 - see another file in the same directory) with a zero... Why it has been done this way, especially given only Win16 applications require this, I've got no idea (being disturbingly familar with dpkg I know for a fact it would be trivial to have the installer ask whether you need to run Win16 applications, possibly explaining it's a potential risk) but it means everyone installing Wine vulnerable.

    Solution: in /etc/sysctl.d, copy or move 10-process-security.conf (where the 64-kB limit is set) to something like 9999-process-security.conf. This will make sure that whatever other packages do to mmap_min_addr, the last value to be written there will be non-zero. Deleting files installed by Wine there would also work in the short run but they will likely be reinstalled when Wine is updated.

  74. pitagora
    FAIL

    local = user can execute commands (a php script can too)

    " Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."

    @Loki 1: Pretty silly observation. You are right. It's not an issue until you host your website on a shared host (as most people do), and one of the other 100 users on that server decides he wants to root the box :) Because of this, there isn't much stopping him :)

    That, and the fact the even the most innocuous web application vulnerability may lead to total compromise of the box, even though the web server runs on a low priv user (remember now we have a local root exploit :)) Haveing such a hole in your sistem is equivalent with running everything as root, and giving root access to every user/customer. It's something that asks for a deface.

This topic is closed for new posts.

Other stories you might like