Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I urge everyone to use linux-grsec, and avoid the security hole that vanilla kernel is.

This stuff has been there in grsecurity patchsets for more than 10 (ten) years already.



From the article section on grsecurity Linus added that this kind of problem is exactly why he has never seriously considered merging the grsecurity patch set; it's full of "this kind of craziness."

How do you reconcile that with suggesting people run this patch? If it were good, Linus would merge it. For me, the fact that it has existed for 10 years and _not_ been merged does not speak highly to it's quality.

I feel that any non-kernel dev applying a patch to their kernel is the opposite of a good security recommendation. I'm not nearly as qualified about the tradeoffs between performance and security or even code quality as Linus and the kernel team. That's why I delegate the decision about what code goes in my kernel to them.


> If it were good, Linus would merge it.

Linus hasn't ever been security-minded, in fact half of the article is about Linus making a complains to Kess with things like "it will be slow to compile, it's a PITA to mantain, i don't understand it therefore is crazy and nobody needs this", so if you value security over anything else then Linus isn't the best person to rely for an advice on the topic.

> For me, the fact that it has existed for 10 years and _not_ been merged does not speak highly to it's quality

Parts of the grsec patch have been implemented over the years but not the whole mostly because Linus doesn't understand the need of most of the features not for quality reasons.

> I feel that any non-kernel dev applying a patch to their kernel is the opposite of a good security recommendation. I'm not nearly as qualified about the tradeoffs between performance and security or even code quality as Linus and the kernel team. That's why I delegate the decision about what code goes in my kernel to them

The fact that you don't understand why you need it, it's the very reason why _you_ shouldn't use it. Leave that decision to someone else on your team with experience handling incidents not to Linus et al.


What's the easiest way to start?


Some distributions carry kernel images with the patchset, e.g. https://wiki.archlinux.org/index.php/Grsecurity


Debian recently started providing such images as well:

https://packages.debian.org/search?keywords=linux-image-grse...

https://wiki.debian.org/grsecurity


Use alpine linux on your servers, it uses grsec by default, and if you can bear it - even on desktop with xfce4.

ArchLinux has linux-grsec as a package, its enough to pacman -S linux-grsec linux-grsec-headers and boot into it.


I can recommend Debian as well, used its grsec flavour of the Linux kernel package for a few months on my desktops successfully.

I would recommend taking a look at NixOS as well, they have it integrated and it can be as easy as adding an option to your system configuration. If you further add any customization, you will get a unique kernel build for your system, what is said to be ideal security-wise. You can read the details on their manual:

http://nixos.org/nixos/manual/index.html#sec-grsecurity




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: