[haiku-development] AW: Re: Security
- From: Axel Dörfler <axeld@xxxxxxxxxxxxxxxx>
- To: <haiku-development@xxxxxxxxxxxxx>
- Date: Tue, 2 Sep 2014 10:37:59 +0200
Sean wrote:
> Does haiku even offer any reasonably easy exploits ? it lacks many features
> AFAIK that would offer a path of explotation to begin with.
> I had a hardcore linux hacker in my house try to hack my haiku machine for
> giggles once. He didnt get anywhere with it.
You won't get very far trying to hack Haiku in its default settings; there
shouldn't even be any open ports. If SSH is turned on, it will be as hard to
hack as any other system using a current OpenSSH package.
The only real threat is via bugs in user applications like the WebPositive,
MediaPlayer, Mail, or ImageShow (resp. the add-ons juggling the data in the
background). IOW you will somehow need the user to open your files or web site
that exploits a bug, and manage to execute code on his system. While we use
ASLR, and the no-execute bit, there might be ways to work around those.
Since you usually run as root, once someone manages to run code locally, it can
do all sorts of damage, and not just to your own files, but it could also
install a key logger, for example. The latter is something that multi user
might actually be able to prevent, the rest is pretty much the same as on any
other system with those security features. In theory, that makes it more secure
than FreeBSD, for example, which does not support ASLR yet AFAIK. Also, Windows
only has it enabled for applications that are built with that feature.
And since we're using (with the exception of ffmpeg) up to date open source
libraries, I think there should not be much of a problem using Haiku on a
network (compared to other systems).
Bye,
Axel.
Other related posts:
