Older blog entries for huagang (starting at number 18)

4 May 2004 (updated 4 May 2004 at 01:28 UTC) »
Sasser worm

It seems that this worm do not have the high impact on the network like blaster or nachi. But seems the new virant have much more high impact now.

From all the worm outbreak, we can tell since human naturaly are lazy, it wont solve the problem if you ask people to patch the system. A lot of solution has come out, like IDS,IPS, HIDS and buffer overrun prevetion tool, but it still wont solve the problem if MS still dominate the OS world.

One possibility is to make the OS variant, with randomize library, ramdomize DLL name etc. :-(

9 Apr 2004 (updated 9 Apr 2004 at 06:08 UTC) »
LIDS 2.2.0pre2 2.6.5

Okay...make it online.

I am pretty happy that tomorrow is "big friday" and I can use the whole day to read the new book The shellcoder's Handbook. I was wondering how reliable the book will explain the windows heap overflow.

Per-inode ACL and performance enhancement

The new version of LIDS 2.2 will remove the origninal xattr support, but will use the inode labeling concept to enhance the acl search/labeling performance.

The new version compatible with old version of LIDS, the only difference is after all the lidsconf acl, user need to do a

#lidsconf -C

to compile the acl into a binary file..kernel will read this binary file to parse it. The benifit is now kernel only need to read one file and will not do all the atoi() etc..and will make it more secure.

The new version make the lidsconf do more job and let the kernel do less job. Now not only the process have the object list (a simple one, only contain a sid and oid and a inherit ) and the object also have a list showing which program have what kind of permisson on it. In this way, process will do all the inherit merging staff and checking its acl with the object inode's peromssion bits.

Another enhancement is when fetching an inodes' acl, if it is not attached, will go to check its parent dir until found an acl. once found, the acl will attached to it and all the parent directory. In this way, the next time, when the same inode being accessed, it will get the acl right away, even if the file is not the same, but in the same directory, it will only go up once to its direct parent and get the inode. This way will accelate the performance when doing acl comparision/checking.

17 Mar 2004 (updated 17 Mar 2004 at 22:36 UTC) »
ACL included with tarball?

I was thinking of making a new directory under the lidstools to include the most useful acls. For example, ACLs for apache, Acls for bind etc. I guess that will help the first-time user to make it easier to pick it up.

Good or Bad on time support

After the version release, there some post on the mailing list disappoited about some of features remove, especially the time support. I explained to one of the post.

Comparing the more memory needed , more function to support it with the actually usefulness of the function, I decided not to support this feature. When you have the time support, you can specify at what time range the subject(program) can access the object(file), without it, the program can always can write to the object(file), from the security point of view, the time support do not increase the security bar, because the attacker can launch the attack at the specific time or just try every one min.

11 Mar 2004 (updated 11 Mar 2004 at 06:44 UTC) »
Release LIDS 2.2.0pre1 for 2.6.3

Finally!! After a few test on other machine. And in the last minitus adding netlink support to make "iproute2" can be controled by capability(a bug report on lids-user mailing list).

Check it out on http://www.lids.org

QA by myself

More QA testing on the whole package again and enhance a few thing. One nice feature is to add the object filename in xattr, which will let the user know which file has the permission on which object file.

Fedora Core I

Install a Fedora Core I and configure it to use LIDS 2.2..found one minor problem is the ACL setting on sshd can not be automatically attaching to the sshd which is still running in the system. I have to do a "+RELOAD_CONF" to make it effetive. ;_((.. but anyway, It should not make user confuse since we still have to do it for now.

release it today ??

let's see, if I find any problem or not..I already finished a draft for the new features and the website content changed. Hope I can make it today.

Code cleanup

It is really a good day today.

Moving those #ifdef to a include/header file. and split up some of overly long functions. Make some function to be 'static'.

The only thing lefe is some document about the new xattr support. after that, the new version will be out!

CRYPTO API support finished!

Since kernel has the cryptoapi support in the kernel( see crypto/ directory under the kernel source), there is no need for LIDS still putting RMD160 in the kernel. So We switch to use one of the crypto api..In order to make current LIDS user do not feel the underground change, a new method is used to replace the rmd160 by sha256. The kernel code has been ported to the userspace and be used by lidsadm/lidsconf to read/generate the password without the kernel. And in the LIDS kernel part, using the cryptoapi, it is very easy to cryto the password and do the comparsion. The code do not change a lot, just a few line added and removed. The only problem I run into is the over large memset a buffer which cause some memory to be 0..:-(( any way, now everything seem fine.

My todo list lefe a code clean and then we can release this new version.!!

I am pretty happy now. Thanks to GPL, I can check a lot of open source code before I write my own..that really help.

STATE support done

Although I thought maybe I should release it before the state support, anyway, after I finished the lidstools part support, and the kernel part code seems easy to do. The only problem let me stop for a while is the a new file/inode created in a privilege directory. Before that, it is easy, just copy what the current dir's inode-i_security, but now, the default acl and current state's acl need to copy into the new one.

One problem I always think is the dynamic inode, which has the same filename. for example, /etc/shadow will be change the inode after a new user has been added/detected. for now, it will just be the same as the "/etc/", can not be hidden any longer.

inode,dentry, file, dir.

9 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!