[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Back page page.

Linux Links of the Week


GeekT.org. Have you worn holes in all of your favorite T shirts? Do you want to make a techno-nerd fashion statement? Check out GeekT.org; they are offering "Geek history through T Shirts" with the purpose of immortalizing unusual shirts.

Section Editor: Forrest Cook


January 11, 2001

   

 

This week in history


Two years ago (January 14, 1999 LWN): Creative Labs was in the news concerning the release of information on their Sound Blaster Live card. The company had done a turnaround in policy, starting with the position of not wanting to release its proprietary information and ending with a job posting for a Linux programmer. One can now find a device driver for the Emu10K chip in the Linux kernel source.

LinuxWorld.com ran an article on the Gimp and some potential problems due to two principal developers leaving. "If the story of Gimp's development represents an emerging pattern, then all is not well for open source software." With the recent release of Gimp 1.2, it appears that the problems were overrated.

The press pundits were predicting that 1999 would be the year of Linux, which it was, as was 2000 and as 2001 will be ...

The OpenSSL project was announced. Its goal of creating an open-source full featured secure communications package has been reached, and it is still going strong.

The development kernel was version 2.2.0 pre7 with the 2.2.0 release coming soon. Various Linux distributions were readying their systems for the new kernel. Also, the Kernel Traffic newsletter was introduced.

In the development world, Gnome 0.99.3, code named Profiling Bonobo was released. Digital Creations opened up the source code to DCOracle, a Python extension to the Oracle database.

Corel introduced their Netwinder thin server product which ran Corel's own port of Linux.

One year ago (January 13, 2000 LWN): The Uniform Computer Information Transactions Act was attracting opposition. It contained a number of unpleasant components for the customers of commercial software, including remote shutdown code, contracts that could not be read until the box was opened, and transferability restrictions. Reverse engineering was also under attack, something that affected Linux developers. UCITA has since passed in a small number of states in the US and still remains as a threat.

Michael Tiemann, formerly from Cygnus, moved into the position of Red Hat's Chief Technical Officer after the acquisition of Cygnus by RedHat. Red Hat also managed to complete a stock split, things were riding high and wild in the world of Linux stocks.

The second draft of the US cryptography regulations were discussed, some of the rules were about to be relaxed. This affected Linux in that the kernel could contain more secure versions of the encryption software without the need for user intervention.

The development kernel was up to version 2.3.39 with a 2.3.40 prepatch available. Lots of USB changes were in progress along with many other things. The stable kernel was version 2.2.14.

In the world of distributions, it was claimed that the Chinese government may have banned Windows 2000 in favor of Red Flag Linux. Copies of Red Flag Linux were impossible to track down though, and its existence was questioned. To top it off, the Chinese government was denying the authenticity of the report. In any case, the security implications of any government relying on closed source operating systems were being scrutinized.

The Linux Professional Institute announced free Linux exams and signed up over 300 people in a short time.

Caldera filed for its IPO, and was in the process of building up its Linux for Business platform. Caldera succeeded in going public, and later acquired SCO, now renamed Tarantella.

Linux One's IPO filing wasn't looking very likely to succeed, people in the financial world were beginning to notice the real lack of technical substance in the company.

 
   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
Date: Thu, 4 Jan 2001 22:59:55 -0800
To: lwn@lwn.net
From: David Fickes <david@advicepress.com>
Subject: Lynux IPO filing...

One of the issues you mention is the CEO being in debt to the 
company. This is a very common way to give stock to a key person (or 
a founder) without triggering all sorts of filing and tax issues. 
Essentially, the company loans the money and then the money is used 
to pay for stock at the current valuation level. The assumption is 
that this is easier and more solid than options (which can be a bar 
to future private placements and are not tangible) or outright grants 
(which are a problem with current shareholders. Normally, one cannot 
sell stock cheaper than the current valuation price without 
triggering tax issues and also angry current shareholders.

This is so common, its almost not worth mentioning. It is interesting 
because if you follow the money on each of these transactions, you 
will also uncover the valuation price at the moment each of these 
events occur. - Usually you can then find out where the various VC 
and other companies/investors bought in.

-d

-- 
David Fickes		                 +1 650 620-9905
ADVICE Press		                 +1 650 620-9906 fax
951 Old County Road Suite 103            david@advicepress.com
Belmont, CA 94002                        www.advicepress.com 

   
Date: 5 Jan 2001 18:27:27 -0000
From: Eric Smith <eric@brouhaha.com>
To: letters@lwn.net
Subject: setuid and GTK+

Gentlemen,

In the Security section of your 4-Jan-2001 issue, you talk about the
BugTraq discussion of the possibility of insecure GTK+ modules being
used in setuid or setgid programs:

    It can be argued that GTK+ should force an abort if the program
    using that library is running as setuid or setguid. But this is the
    wrong way to handle this issue. Libraries shouldn't enforce policy -
    if you want to shoot yourself in the foot, you should be able to do
    so. What GTK+ could do is provide hooks for applications to request
    this enforcement, but not enable it by default.

Libraries shouldn't *rigidly* enforce policy.  But I don't see what would
be wrong with having GTK+ abort by default in dangerous situations, and
require applications to do something special if they want to prevent this.

It is much better to have things be secure by default, and require special
action to make them insecure.

If anything like this is done, there should also be a way for the system
administrator to set a system-wide policy disallowing such applications;
perhaps an rc file in /etc/ would do the job.  I'd even settle for a
compile-time option, but most people don't want to recompile their
system libraries.

Of course, a sysadmin that is worried about such things should also
routinely use find to inventory all the setuid and setgid programs,
and make sure that he or she knows *why* those programs are setuid or
setgid:

    #!/bin/sh
    for fs in `awk '{ if (($3 != "proc") && ($1 != "none")) print $2 }' </proc/mounts`
    do
      echo "scanning $fs for setuid and setgid programs"
      find $fs -mount -perm +6000 -ls
    done

On systems I administer, I turn off the setuid bits on many
standard programs, and remove others.  For instance, suidperl seems
like an incredibly bad idea to me.  I'm not trying to pick on suidperl,
I'm only using it as an exmaple.  It may well be the case that the authors
of suidperl have done a thorough security audit, but it's easier for
me to remove it rather than worry about it.

Happy new millenium!
Eric Smith

 

 

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds