Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

solardiz writes "Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of work on the project. Owl is a small, security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in the default install (yet the system is usable, including password changing); and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), 'make iso' & 'make vztemplate' in the included build environment, ext4 by default, xz in tar/rpm/less, 'anti-Debian' key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source."

Ah Sweet Nostalgia

[ADRA]

While I'm not terribly interested in the distribution itself, its great to see a classic Slashdot story about some major or point release of a semi-well known OSS product.

Re:Not Trolling?

[metrix007]

I am getting modded down because zealots have modpoints.

Most people who use Linux don't review the code nor should they be expected to. We should expect the developers to disclose security problems in a responsible way. They don't, they obscure them.

So yes, the developers do practice security via obscurity. DO I really need to go and link the interview on kerneltrap where they say and defend that practice?

Re:Not Trolling?

[Markos]

http://en.wikipedia.org/wiki/Security_through_obscurity "Software which is deliberately released as open source cannot be said to be relying on security through obscurity (the design being publicly available), but it can nevertheless also experience security debacles (e.g., the Morris worm of 1988 spread through some obscure—though widely visible to those who looked—vulnerabilities)."