Solar Designer on Openwall GNU/*/Linux
Solar Designer is one of the most important security expert on the Net. He developed the famous Unix password cracker John The Ripper and popa3d, a secure POP3 daemon, but also a security enhanced Gnu/Linux distro: Openwall GNU/*/Linux .
In this email interview I asked some questions about present and future of this interesting Gnu/Linux system.
1) First of all, why have you decided to realize a security enhanced Linux distro, is Linux a better choice than OpenBSD and *BSD in general?
S.D. There's real demand specifically for security-enhanced Linux systems. Linux is widespread, it has good hardware support, there's a lot of software available for it (including some commercial packages), and there are system administrators with specific Linux skills. Of course, OpenBSD and other *BSDs have their user bases, too - and
people are working on the security of those systems.
No, Linux (the kernel) is not a better choice than *BSDs security-wise. But it is not substantially worse either.
2) Owl 2.0 uses a patched 2.4.32 kernel. Is this because the 2.6 kernel is still considered insecure?
S.D. Not quite. Rather it's because we have only invested our time in reviewing, patching, and fully supporting 2.4.x kernels so far, and we couldn't change the major kernel version shortly before making a stable release of Owl.
3) Can you explain why Owl uses separate shadow files to store users's passwords?
S.D. This is explained in the tcb(5) man page on Owl and also in our presentation slides [ http://www.openwall.com/presentations/Owl/ ] .
This alternative password shadowing scheme makes it possible for users to change their own passwords without having to run a root-privileged program. On Owl, the "passwd" program is not SUID root; rather, it is granted just enough privilege to enforce a password policy. This and our other security enhancements make it possible to run a perfectly functional Owl system without a single SUID root program.
4) Postfix, popa3d, BIND. Why didn't you include a security enhanced versions of Apache, PHP, and MySQL?
S.D. Apache is planned for future versions of Owl. PHP and MySQL will likely be in unsupported Owl add-ons, along with other software. We'd like to keep the Owl base system small, and limited only to software for which we can guarantee a certain level of quality.
5) Do you plan to add a package/update manager like Yum in the next release of Owl?
S.D. Owl has a package manager - it's RPM - although we dislike RPM for its low code quality and code bloat. Yes, we're considering introducing an auto-updater such as yum, although this is not specifically "planned". I don't think it is currently any hard to update Owl systems. It's a matter of running the lftp "mirror" command (to retrieve any updated
packages) followed by a "make installworld". There are, however, other reasons in favor of the introduction of an auto-updater such as yum -e.g., integration with OpenVZ.
6) What features are you currently working on for the next release?
S.D. We're currently in the process of defining the roadmap for the next release. We've identified many potential areas to work on, of which we'll only pick a few for the next release - in addition to all the usual updates to new software versions.