Can any one Hack Ubuntu ?

[CharlesA]

Nice to know that...
But then whats the point of having a normal installation with a encrypted home folder (thats the option you can choose whe installing Ubuntu) if you are not warned that it doesn't actually protect the data in the home folder from someone who knows how to reset the login password...

And I thaught that my encrypted home folder was safe...

Cuz it is still encrypted and couldn't be read from a livecd?

Don't you still need the encryption key you created during install?

[orange2k]

Cuz it is still encrypted and couldn't be read from a livecd?

Don't you still need the encryption key you created during install?

I'm not sure, but doesn't the ability to change the users login password give you access to the encrypted home folder even without the encryption key?

[orange2k]

Oh I see, now that I've read this I feel a little safer now...
http://askubuntu.com/questions/12020...-no-passphrase

[Hungry Man]

Execshield accomplishes nothing NX doesn't. It was written to emulate NX on 32 bit platforms that didn't have it built into the hardware. This is all native in the kernel now, thus making Execshield unneeded in most cases.



As for PIE's, Ubuntu ships with the most vulnerable services compiled with PIE support (and on 64 bit systems as well). Things like CUPS, udev, dhclient, ntpd, sshd, as well as the browsers. I think this is fine for a desktop box.

I think Ubuntu is among the best of all binary mainstream distros when it comes to security.

Hence why I said that execshield isn't a big deal as Ubuntu ships with all NX enabled binaries by default. Where execshield is nice is for forcing binaries that don't use it. This is rarer these days.

As for PIE, all services are vulnerable. There's really no excuse for not at least having a test build for it - there shouldn't be any performance hit on 64bit and tons of services (pulseaudio for example, other root services like rsyslogd) aren't running PIE. While they have it enabled in really critical services like dhclient it's still important for it to be used in others.

[rookcifer]

Hence why I said that execshield isn't a big deal as Ubuntu ships with all NX enabled binaries by default. Where execshield is nice is for forcing binaries that don't use it. This is rarer these days.

According to checksec, every running process on my system has NX enabled, so I think we're good there.

As for PIE, all services are vulnerable. There's really no excuse for not at least having a test build for it - there shouldn't be any performance hit on 64bit and tons of services (pulseaudio for example, other root services like rsyslogd) aren't running PIE. While they have it enabled in really critical services like dhclient it's still important for it to be used in others.

It's a lot of work for some services. Pulseaudio is a monster blob of complicated code. According to checksec, PA has everything enabled but PIE (it has Full RELRO, NX and a canary).

I am sure the Ubuntu security team would like to have everything compiled with full PIE at some point (I think this is their goal), but it will take a little time.

IIRC, some of the PaX code is going to be merged to the mainlaine kernel one of these days (or at least it has been talked about). That should help strengthen the ASLR of the vanilla kernel a bit. Right now, the default ASLR built into the vanilla kernel is already a bit stronger than what Windows offers.

[Hungry Man]

IIRC, some of the PaX code is going to be merged to the mainlaine kernel one of these days (or at least it has been talked about). That should help strengthen the ASLR of the vanilla kernel a bit. Right now, the default ASLR built into the vanilla kernel is already a bit stronger than what Windows offers.

It's been talked about for a long long time. Pretty much everything starts off in PaX though and ends up mainline under another name (and often a faulty implementation...).

Windows ASLR has a big weakness in that VirtualAllocEx() is not randomized whereas all mmap() is randomized on Linux. In terms of entropy Windows would probably be ahead but if you use PaX/Grsecurity you can up the entropy and also enable some other features that prevent ASLR bruteforcing.

But only the randomized mmap is there by default.

It's a lot of work for some services. Pulseaudio is a monster blob of complicated code. According to checksec, PA has everything enabled but PIE (it has Full RELRO, NX and a canary).

Pretty sure other distros like Fedora have it enabled. Can't be sure/ haven't checked but after Spender showed that fun exploit a while back there was some buzz for a bit that probably spurred it.

It's been "talked about" for a long time. It would be nice if they actually had test builds out. I haven't been tracking the progress, for all I know they're working on it, but what I do know is that it's not mainline yet.