TL; DRã ãã®èšäºã§ã¯ã12.4 ã€ã®äººæ°ã®ãã Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ããã«äœ¿çšã§ãã匷åã¹ããŒã ã«ã€ããŠèª¬æããŸãã ããããã«ã€ããŠãããã©ã«ãã®ã«ãŒãã«æ§æãååŸãããã¹ãŠã®ããã±ãŒãžãããŒãããæ·»ä»ããããã€ããªå ã®ã»ãã¥ãªã㣠ã¹ããŒã ãåæããŸããã 察象ãšãªããã£ã¹ããªãã¥ãŒã·ã§ã³ã¯ãOpenSUSE 9ãDebian 6.10ãCentOSãRHEL 7 ããã³ 14.04ãããã³ Ubuntu 12.04ã18.04ãããã³ XNUMX LTS ã§ãã
ãã®çµæã¯ãã¹ã¿ããã³ã° ã«ããªã¢ãäœçœ®ã«äŸåããªãã³ãŒããªã©ã®åºæ¬çãªã¹ããŒã ã§ããããŸã 誰ããæ¡çšããŠããããã§ã¯ãªãããšãè£ä»ããŠããŸãã ã¹ã¿ãã¯ã¯ã©ãã·ã¥ãªã©ã®è匱æ§ã«å¯Ÿããä¿è·ãšãªããšãã³ã³ãã€ã©ã«ãšã£ãŠç¶æ³ã¯ããã«æªåããŸãããã®è匱æ§ã¯ãå
¬éåŸã® XNUMX æã«æ³šç®ãéããŸããã
ã¬ãã¥ãŒã«ãããšãOS ã¬ãã«ãšã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã§æãå€ãã®ä¿è·ã¡ãœãããå®è£
ãããŠããã®ã¯ Ubuntu 18.04 ã§ã次㫠Debian 9 ãç¶ããŸããäžæ¹ãOpenSUSE 12.4ãCentOS 7ãRHEL 7 ãåºæ¬çãªä¿è·ã¹ããŒã ãšã¹ã¿ãã¯è¡çªä¿è·ãå®è£
ããŠããŸããããé«å¯åºŠã®ããã©ã«ã ããã±ãŒãžã®ã»ããã䜿çšãããšãããã«åºã䜿çšãããŸãã
å°å ¥
ãœãããŠã§ã¢ã®é«å質ã確ä¿ããããšã¯å°é£ã§ãã éçã³ãŒãåæãšåçã©ã³ã¿ã€ã åæã®ããã®é«åºŠãªããŒã«ãèšå€§ã«ååšããã³ã³ãã€ã©ãŒãããã°ã©ãã³ã°èšèªã®éçºãå€§å¹ ã«é²æ©ããŠããã«ãããããããææ°ã®ãœãããŠã§ã¢ã¯äŸç¶ãšããŠè匱æ§ã«æ©ãŸãããŠãããåžžã«æ»æè ã«ãã£ãŠæªçšãããŠããŸãã ã¬ã¬ã·ãŒã³ãŒããå«ããšã³ã·ã¹ãã ã§ã¯ç¶æ³ã¯ããã«æªåããŸãã ãã®ãããªå Žåãç§ãã¡ã¯æªçšå¯èœãªãšã©ãŒãèŠã€ãããšããæ°žé ã®åé¡ã«çŽé¢ããã ãã§ãªããå³æ Œãªäžäœäºææ§ãã¬ãŒã ã¯ãŒã¯ã«ãã£ãŠãå¶éãããå€ãã®å Žåãéãããããããã¯ããã«æªãããšã«ãè匱ãªã³ãŒãããã°ã®ããã³ãŒããä¿åããå¿ èŠããããŸãã
ããã§ãããã°ã©ã ãä¿è·ãŸãã¯åŒ·åããæ¹æ³ãç»å ŽããŸãã äžéšã®çš®é¡ã®ãšã©ãŒãé²ãããšã¯ã§ããŸããããæ»æè
ãæ»æããã®ãããå°é£ã«ããåé¡ãéšåçã«è§£æ±ºããããšã¯ã§ããŸãã å¶æ¥ ãããã®ãšã©ãŒã ãã®ãããªä¿è·ã¯ãææ°ã®ãã¹ãŠã®ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã§äœ¿çšãããŠããŸããããã®æ¹æ³ã¯è€éããå¹çãããã©ãŒãã³ã¹ã®ç¹ã§å€§ããç°ãªããŸãã
CVE ãšã»ãã¥ãªãã£
ãä»å¹Žæãè匱ãªã¢ããªã±ãŒã·ã§ã³ãããæãè匱ãªãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ããªã©ã®ã¿ã€ãã«ã®èšäºã誰ããèŠãããšããããŸãã éåžžã次ã®ãããªè匱æ§ã«é¢ããã¬ã³ãŒãã®ç·æ°ã«é¢ããçµ±èšãæäŸãããŸãã
äŸãšããŠãLinux ã«ãŒãã«ãšãæã人æ°ã®ãã XNUMX ã€ã®ãµãŒã㌠ãã£ã¹ããªãã¥ãŒã·ã§ã³ (UbuntuãDebianãRed Hat Enterprise LinuxãOpenSUSE) ã«é¢ããéå» XNUMX 幎éã® CVE ã®ç·æ°ãèããŠã¿ãŸãããã
å³ã 1
ãã®ã°ã©ãããäœããããã§ãããã? CVE ã®æ°ãå€ããšããããšã¯ããããã£ã¹ããªãã¥ãŒã·ã§ã³ãå¥ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ãããè匱ã§ããããšãæå³ããŸãã? çãã¯ãããŸããã ããšãã°ããã®èšäºã§ã¯ãDebian ã«ã¯ OpenSUSE ã RedHat Linux ãªã©ãšæ¯èŒããŠåŒ·åãªã»ãã¥ãªã㣠ã¡ã«ããºã ããããããã« Debian ã«ã¯ããå€ãã® CVE ãããããšãããããŸãã ãã ããå¿ ãããã»ãã¥ãªãã£ã®åŒ±äœåãæå³ããããã§ã¯ãããŸãããCVE ã®ååšã¯ãè匱æ§ãååšãããã©ããã瀺ããã®ã§ã¯ãããŸããã æŸåãããã éç床ã¹ã³ã¢ã¯ã次ã®ãããªææšãæäŸããŸãã ãã¶ã è匱æ§ã®æªçšã§ãããæçµçã«æªçšå¯èœãã©ããã¯ã圱é¿ãåããã·ã¹ãã ã«ååšããä¿è·æ©èœãšãæ»æè ã®ãªãœãŒã¹ãšèœåã«å€§ããäŸåããŸãã ããã«ãCVE ã¬ããŒããååšããªããšããããšã¯ãä»ã®ããšã«ã€ããŠã¯äœãèªã£ãŠããŸããã æªç»é²ãŸãã¯äžæ è匱æ§ã CVE ã®éãã¯ããã¹ãã«å²ãåœãŠããããªãœãŒã¹ããŠãŒã¶ãŒ ããŒã¹ã®èŠæš¡ãªã©ããœãããŠã§ã¢ã®å質以å€ã®èŠå ã«ãããã®ã§ããå¯èœæ§ããããŸãã ãã®äŸã§ã¯ãDebian ã® CVE æ°ãå€ããšããããšã¯ãåã« Debian ãããå€ãã®ãœãããŠã§ã¢ ããã±ãŒãžãåºè·ããŠããããšã瀺ããŠããå¯èœæ§ããããŸãã
ãã¡ãããCVE ã·ã¹ãã ã¯ãé©åãªä¿è·ãäœæããããã®æçšãªæ
å ±ãæäŸããŸãã ããã°ã©ã ã®å€±æã®çç±ãç解ããã°ããã»ã©ãèããããæªçšæ¹æ³ãç¹å®ããé©åãªã¡ã«ããºã ãéçºããããšã容æã«ãªããŸãã æ€åºãšå¿çã å³ã§ã¯ã 2 ã¯ãéå» XNUMX 幎éã®ãã¹ãŠã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã®è匱æ§ã®ã«ããŽãªã瀺ããŠããŸã (
å³ã 2
ã¿ã¹ã¯
ãã®èšäºã§ã¯ã次ã®è³ªåã«çããããšãç®çãšããŠããŸãã
- ããŸããŸãª Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ã¯äœã§ãã? ã«ãŒãã«ãââãã³ãŠãŒã¶ãŒç©ºéã¢ããªã±ãŒã·ã§ã³ã«ã¯ã©ã®ãããªä¿è·ã¡ã«ããºã ãååšããŸãã?
- ã»ãã¥ãªã㣠ã¡ã«ããºã ã®å°å ¥ã¯ãã£ã¹ããªãã¥ãŒã·ã§ã³éã§æéã®çµéãšãšãã«ã©ã®ããã«å€åããŸããã?
- åãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ããã±ãŒãžãšã©ã€ãã©ãªã®å¹³åçãªäŸåé¢ä¿ã¯äœã§ãã?
- åãã€ããªã«ã¯ã©ã®ãããªä¿è·ãå®è£ ãããŠããŸãã?
ãã£ã¹ããªãã¥ãŒã·ã§ã³ã®éžæ
ã»ãšãã©ã®å ŽåãããŠã³ããŒãæ°ã¯å®éã®ã€ã³ã¹ããŒã«æ°ã瀺ããŠããªãããããã£ã¹ããªãã¥ãŒã·ã§ã³ã®ã€ã³ã¹ããŒã«ã«é¢ããæ£ç¢ºãªçµ±èšãèŠã€ããã®ã¯å°é£ã§ããããšãããããŸããã ãã ããUnix äºçš®ã¯ãµãŒã㌠ã·ã¹ãã ã®å€§éšåãå ããŠããŸã (Web ãµãŒããŒã§ã¯ 69,2%ã
é
åž/ããŒãžã§ã³
ã³ã¢
建ãŠã
OpenSUSE 12.4
4.12.14-95.3-ããã©ã«ã
#1 SMP 5 幎 06 æ 00 æ¥æ°Žææ¥ 48:2018:63 UTC (8a29dXNUMX)
Debian 9 (ã¹ãã¬ãã)
4.9.0-8-amd64
#1 SMP Debian 4.9.130-2 (2018-10-27)
CentOS 6.10
2.6.32-754.10.1.el6.x86_64
#1 SMP 15 幎 17 æ 07 æ¥ç«ææ¥ 28:2019:XNUMX UTC
CentOS 7
3.10.0-957.5.1.el7.x86_64
#1 SMP 1 幎 14 æ 54 æ¥éææ¥ 57:2019:XNUMX UTC
Red Hat Enterprise Linux Server 6.10 (ãµã³ãã£ã¢ãŽ)
2.6.32-754.9.1.el6.x86_64
#1 SMP 21 幎 15 æ 08 æ¥æ°Žææ¥ 21:2018:XNUMX EST
Red Hat Enterprise Linux Server 7.6 (Maipo)
3.10.0-957.1.3.el7.x86_64
#1 SMP 15 幎 17 æ 36 æ¥æšææ¥ 42:2018:XNUMX UTC
Ubuntu 14.04 (ä¿¡é Œã§ããã¿ãŒã«)
4.4.0â140-æ±çš
#166~14.04.1-Ubuntu SMP 17æ01æ¥åææ¥52:43:20 UTC XNUMXâŠ
Ubuntu 16.04 (ãŒãã¢ã« Xerus)
4.15.0â1026-gcp
#27~16.04.1-Ubuntu SMP 7 幎 09 æ 59 æ¥éææ¥ 47:2018:XNUMX UTC
Ubuntu 18.04 (ãã€ãªãã㯠ããŒããŒ)
4.15.0â1026-gcp
#27-Ubuntu SMP 6 幎 18 æ 27 æ¥æšææ¥ 01:2018:XNUMX UTC
è¡š1
ã®åæ
ããã©ã«ãã®ã«ãŒãã«æ§æãšãåãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ããã±ãŒãž ãããŒãžã£ãŒãéããŠããã«äœ¿çšã§ããããã±ãŒãžã®ããããã£ã調ã¹ãŠã¿ãŸãããã ãããã£ãŠãåãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ããã©ã«ãã®ãã©ãŒããã®ããã±ãŒãžã®ã¿ãèæ ®ããäžå®å®ãªãªããžããªããã®ããã±ãŒãž (Debian ã®ããã¹ãçšããã©ãŒãªã©) ããµãŒãããŒãã£ã®ããã±ãŒãž (æšæºãã©ãŒããã® Nvidia ããã±ãŒãžãªã©) ã¯ç¡èŠããŸãã ããã«ãã«ã¹ã¿ã ã«ãŒãã« ã³ã³ãã€ã«ãã»ãã¥ãªãã£åŒ·åãããæ§æã¯èæ ®ããŠããŸããã
ã«ãŒãã«æ§æã®åæ
ã«åºã¥ããŠåæã¹ã¯ãªãããé©çšããŸããã
äžè¬ã«ãæ°ããã«ãŒãã«ã«ã¯ãããã«äœ¿çšã§ããèšå®ãããå³å¯ã«ãªã£ãŠããŸãã ããšãã°ã6.10 ã«ãŒãã«äžã® CentOS 6.10 ããã³ RHEL 2.6.32 ã«ã¯ãæ°ããã«ãŒãã«ã«å®è£
ãããŠããéèŠãªæ©èœã®ã»ãšãã©ããããŸããã
çµæã解éããéã«èæ ®ãã¹ããã XNUMX ã€ã®ç¹ã¯ãæ»æ察象é åãå¢å€§ãããäžéšã®ã«ãŒãã«æ§æã¯ã»ãã¥ãªãã£ã«ã䜿çšã§ãããšããããšã§ãã ãã®ãããªäŸã«ã¯ãuprobe ãš kprobeãã«ãŒãã« ã¢ãžã¥ãŒã«ãBPF/eBPF ãå«ãŸããŸãã ç§ãã¡ãæšå¥šããã®ã¯ãäžèšã®ã¡ã«ããºã ã䜿çšããŠå®éã®ä¿è·ãæäŸããããšã§ãããããã®ã¡ã«ããºã ã¯äœ¿çšããã®ãç°¡åã§ã¯ãªãããã®æªçšã¯æªæã®ããæ»æè ããã§ã«ã·ã¹ãã å ã«è¶³å Žã確ç«ããŠããããšãåæãšããŠããããã§ãã ãã ãããããã®ãªãã·ã§ã³ãæå¹ã«ãªã£ãŠããå Žåãã·ã¹ãã 管çè ã¯æªçšãç©æ¥µçã«ç£èŠããå¿ èŠããããŸãã
è¡š 2 ã®ãšã³ããªãããã«è©³ããèŠãŠã¿ããšãææ°ã®ã«ãŒãã«ã«ã¯ãæ
å ±æŒæŽ©ãã¹ã¿ãã¯/ããŒã ãªãŒããŒãããŒãªã©ã®è匱æ§ã®æªçšãé²ãããã®ãªãã·ã§ã³ãããã€ãæäŸãããŠããããšãããããŸãã ãã ããææ°ã®äžè¬çãªãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ããããè€éãªä¿è· (ããããªã©) ããŸã å®è£
ãããŠããªãããšã«æ°ã¥ããŸããã
ã¢ããªã±ãŒã·ã§ã³åæ
åœç¶ã®ããšã§ããããã£ã¹ããªãã¥ãŒã·ã§ã³ãç°ãªãã°ãããã±ãŒãžã®ç¹æ§ãã³ã³ãã€ã« ãªãã·ã§ã³ãã©ã€ãã©ãªã®äŸåé¢ä¿ãªã©ãç°ãªããŸãã
ååž
ããã©ã«ãã®ãã©ãŒããããã±ãŒãžã®ã¿ãæœåºããŠããã¹ãŠã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«å¯ŸããŠåèš 361 åã®ããã±ãŒãžãããŠã³ããŒãããŸããã ãœãŒã¹ããã©ã³ããªã©ãELF å®è¡å¯èœãã¡ã€ã«ãå«ãŸãªãããã±ãŒãžã¯ç¡èŠããŸããããã£ã«ã¿ãªã³ã°åŸã556 åã®ããã±ãŒãžãæ®ããåèš 129 åã®ãã€ããªãå«ãŸããŠããŸããã ãã£ã¹ããªãã¥ãŒã·ã§ã³éã§ã®ããã±ãŒãžãšãã¡ã€ã«ã®é åžãå³ã«ç€ºããŸãã 569.
å³ã 3
ãã£ã¹ããªãã¥ãŒã·ã§ã³ãææ°ã§ããã°ããã»ã©ãããå€ãã®ããã±ãŒãžãšãã€ããªãå«ãŸããŠããããšã«æ°ã¥ããããããŸããããããã¯åœç¶ã®ããšã§ãã ãã ããUbuntu ããã³ Debian ããã±ãŒãžã«ã¯ãCentOSãSUSEãããã³ RHEL ãããå€ãã®ãã€ã㪠(å®è¡å¯èœãã¡ã€ã«ãšåçã¢ãžã¥ãŒã«ããã³ã©ã€ãã©ãªã®äž¡æ¹) ãå«ãŸããŠãããããã Ubuntu ããã³ Debian ã®æ»æ察象é åã«åœ±é¿ãäžããå¯èœæ§ããããŸã (æ°åã¯ãã¹ãŠã®ããŒãžã§ã³ã®ãã¹ãŠã®ãã€ããªãåæ ããŠããããšã«æ³šæããŠãã ãã)ã€ãŸããäžéšã®ãã¡ã€ã«ã¯è€æ°ååæãããŸã)ã ããã¯ãããã±ãŒãžéã®äŸåé¢ä¿ãèæ ®ããå Žåã«ç¹ã«éèŠã§ãã ãããã£ãŠãè匱ãªã©ã€ãã©ãªããããã€ã³ããŒããããã¹ãŠã®ãã€ããªã«åœ±é¿ãäžããã®ãšåæ§ã«ãåäžããã±ãŒãž ãã€ããªã®è匱æ§ã¯ãšã³ã·ã¹ãã ã®å€ãã®éšåã«åœ±é¿ãäžããå¯èœæ§ããããŸãã éå§ç¹ãšããŠãããŸããŸãªãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ããã±ãŒãžéã®äŸåé¢ä¿ã®æ°ã®ååžãèŠãŠã¿ãŸãããã
ã»ãŒãã¹ãŠã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ã¯ãããã±ãŒãžã® 60% ã«å°ãªããšã 10 åã®äŸåé¢ä¿ããããŸãã ããã«ãäžéšã®ããã±ãŒãžã«ã¯éåžžã«å€ãã®äŸåé¢ä¿ (100 ãè¶ ãã) ããããŸãã éã®ããã±ãŒãžäŸåé¢ä¿ã«ãåãããšãåœãŠã¯ãŸããŸããäºæ³ã©ãããããã€ãã®ããã±ãŒãžããã£ã¹ããªãã¥ãŒã·ã§ã³å ã®ä»ã®å€ãã®ããã±ãŒãžã§äœ¿çšãããŠãããããéžã°ããå°æ°ã®ããã±ãŒãžã®è匱æ§ã¯é«ãªã¹ã¯ã§ãã äŸãšããŠã次ã®è¡šã«ã¯ãSLESãCentos 20ãDebian 7ãããã³ Ubuntu 9 ã®éæ¹åäŸåé¢ä¿ã®æ倧æ°ãæ〠18.04 åã®ããã±ãŒãžããªã¹ããããŠããŸã (åã»ã«ã¯ããã±ãŒãžãšéæ¹åäŸåé¢ä¿ã®æ°ã瀺ããŸã)ã
è¡š3
èå³æ·±ãäºå®ã åæããããã¹ãŠã® OS 㯠x86_64 ã¢ãŒããã¯ãã£çšã«æ§ç¯ãããŠãããã»ãšãã©ã®ããã±ãŒãžã«ã¯ x86_64 ããã³ x86 ãšããŠå®çŸ©ãããã¢ãŒããã¯ãã£ããããŸãããå³ 5 ã«ç€ºãããã«ãããã±ãŒãžã«ã¯ä»ã®ã¢ãŒããã¯ãã£ã®ãã€ããªãå«ãŸããããšããããããŸãã XNUMX.
å³ã 5
次ã®ã»ã¯ã·ã§ã³ã§ã¯ãåæããããã€ããªã®ç¹æ§ã詳ãã説æããŸãã
ãã€ããªãã¡ã€ã«ä¿è·ã®çµ±èš
å°ãªããšããæ¢åã®ãã€ããªã®åºæ¬çãªã»ãã¥ãªã㣠ãªãã·ã§ã³ã®ã»ãããæ€èšããå¿ èŠããããŸãã ããã€ãã® Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ã¯ããã®ãããªãã§ãã¯ãå®è¡ããã¹ã¯ãªãããä»å±ããŠããŸãã ããšãã°ãDebian/Ubuntu ã«ã¯ãã®ãããªã¹ã¯ãªããããããŸãã 圌ã®äœåã®äžäŸã次ã«ç€ºããŸãã
$ hardening-check $(which docker)
/usr/bin/docker:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
ã¹ã¯ãªãã㯠XNUMX ã€ããã§ãã¯ããŸã
- Position Independent Executable (PIE): ã«ãŒãã«ã§ ASLR ãæå¹ã«ãªã£ãŠããå Žåãã©ã³ãã åãå®çŸããããã«ããã°ã©ã ã®ããã¹ã ã»ã¯ã·ã§ã³ãã¡ã¢ãªå ã§ç§»åã§ãããã©ããã瀺ããŸãã
- ã¹ã¿ãã¯ä¿è·: ã¹ã¿ãã¯è¡çªæ»æããä¿è·ããããã«ã¹ã¿ã㯠ã«ããªã¢ãæå¹ãã©ããã
- ãœãŒã¹ã®åŒ·å: å®å šã§ãªãé¢æ° (strcpy ãªã©) ãããå®å šãªé¢æ°ã«çœ®ãæãããããã©ããããŸãå®è¡æã«ãã§ãã¯ãããåŒã³åºãããã§ãã¯ãããŠããªãé¢æ° (ããšãã°ã__memcpy_chk ã§ã¯ãªã memcpy) ã«çœ®ãæãããããã©ããã
- èªã¿åãå°çšåé 眮 (RELRO): åé 眮ããŒãã«ã®ãšã³ããªãå®è¡éå§åã«ããªã¬ãŒãããå Žåã«èªã¿åãå°çšãšããŠããŒã¯ããããã©ããã
- å³æãã€ã³ãã£ã³ã°: ããã°ã©ã ã®å®è¡ãéå§ãããåã«ã©ã³ã¿ã€ã ãªã³ã«ãŒããã¹ãŠã®ç§»åãèš±å¯ãããã©ãã (ããã¯å®å šãª RELRO ã«çžåœããŸã)ã
äžèšã®ã¡ã«ããºã ã¯ååã§ãã? æ®å¿µã ãã©éãã äžèšã®é²åŸ¡ããã¹ãŠåé¿ããæ¹æ³ã¯ç¥ãããŠããŸãããé²åŸ¡ã匷ããã°åŒ·ãã»ã©ãæ»æè
ã®ããŒãã«ã¯é«ããªããŸãã äŸãã°ã
ç§ãã¡ã¯ãåé¡ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³å ã®ãã€ã㪠ãã¡ã€ã«ãããããšä»ã® XNUMX ã€ã®æ¹æ³ã§ä¿è·ãããŠããæ°ã調æ»ããããšèããŸããã
- å®è¡äžå¯èœããã (
NX ) ã¹ã¿ã㯠ããŒããªã©ãå®è¡å¯èœã§ã¯ãªãé åã§ã®å®è¡ãé²æ¢ããŸãã RPãã¹/å®è¡ãã¹ ã¯ããã€ããã㯠ããŒããŒãäžèŽããã©ã€ãã©ãªãèŠã€ããããã«äœ¿çšããå®è¡ãã¹ã瀺ããŸãã äžã€ç®ã¯ å¿ é ææ°ã®ã·ã¹ãã ã§ã¯ããããååšããªããšãæ»æè ããã€ããŒããã¡ã¢ãªã«ä»»æã«æžã蟌ã¿ããã®ãŸãŸå®è¡ããããšãã§ããŸãã XNUMX ã€ç®ã¯ãå®è¡ãã¹ã®èšå®ãæ£ãããªããšãä¿¡é Œæ§ã®äœãã³ãŒããå°å ¥ãããå€ãã®åé¡ãåŒãèµ·ããå¯èœæ§ããããŸã (äŸ:æš©éææ Œ ãšãã®ä»ã®åé¡ ).- ã¹ã¿ãã¯è¡çªä¿è·ã¯ãã¹ã¿ãã¯ãã¡ã¢ãªã®ä»ã®é å (ããŒããªã©) ãšéãªãåå ãšãªãæ»æã«å¯Ÿããä¿è·ãæäŸããŸãã æè¿ã®æªçšãšã¯ã¹ããã€ããèæ
®ãããš
systemd ããŒãè¡çªã®èåŒ±æ§ ããã®ã¡ã«ããºã ãããŒã¿ã»ããã«å«ããããšãé©åã§ãããšèããŸããã
ããã§ã¯ãæ©éãæ°åã®èª¬æã«å ¥ããŸãããã è¡š 4 ãšè¡š 5 ã«ã¯ããããããããŸããŸãªãã£ã¹ããªãã¥ãŒã·ã§ã³ã®å®è¡å¯èœãã¡ã€ã«ãšã©ã€ãã©ãªã®åæã®æŠèŠãå«ãŸããŠããŸãã
- ã芧ã®ãšãããNX ä¿è·ã¯ããŸããªäŸå€ãé€ããŠããããå Žæã«å®è£ ãããŠããŸãã ç¹ã«ãCentOSãRHELãOpenSUSE ãšæ¯èŒããŠãUbuntu ããã³ Debian ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ã®äœ¿çšçããããã«äœãããšã«æ³šæããŠãã ããã
- ã¹ã¿ã㯠ã«ããªã¢ã¯ãç¹ã«å€ãã«ãŒãã«ã䜿çšãããã£ã¹ããªãã¥ãŒã·ã§ã³ã§ã¯ãå€ãã®å Žæã§æ¬ èœããŠããŸãã CentosãRHELãDebianãUbuntu ã®ææ°ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ã¯ãããçšåºŠã®é²æ©ãèŠãããŸãã
- Debian ãš Ubuntu 18.04 ãé€ããŠãã»ãšãã©ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã§ã¯ PIE ãµããŒããäžååã§ãã
- ã¹ã¿ãã¯è¡çªä¿è·ã¯ãOpenSUSEãCentos 7ãRHEL 7 ã§ã¯åŒ±ãããã®ä»ã®ããŒãžã§ã³ã§ã¯äºå®äžååšããŸããã
- ææ°ã®ã«ãŒãã«ãæèŒãããã¹ãŠã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã¯ RELRO ãããçšåºŠãµããŒãããŠãããUbuntu 18.04 ããããã§ãDebian ã XNUMX äœã§ãã
ãã§ã«è¿°ã¹ãããã«ããã®è¡šã®ã¡ããªã¯ã¹ã¯ããã€ã㪠ãã¡ã€ã«ã®ãã¹ãŠã®ããŒãžã§ã³ã®å¹³åã§ãã ãã¡ã€ã«ã®ææ°ããŒãžã§ã³ã®ã¿ãèŠããšãæ°å€ã¯ç°ãªããŸã (ããšãã°ã次ãåç
§ããŠãã ãã)ã
è¡š 4. å³ã«ç€ºãå®è¡å¯èœãã¡ã€ã«ã®ã»ãã¥ãªãã£ç¹æ§3 (å®è¡å¯èœãã¡ã€ã«ã®ç·æ°ã«å¯Ÿããé¢é£æ©èœã®å®è£
ã®å²å)
è¡š 5. å³ã«ç€ºãã©ã€ãã©ãªã®ã»ãã¥ãªãã£ç¹æ§3 (ã©ã€ãã©ãªã®ç·æ°ã«å ããé¢é£æ©èœã®å®è£
ã®å²å)
ããã§é²æ©ã¯ããã®ãïŒ ç¢ºãã«ããã¯ãããŸããããã¯ãåã
ã®ååžã®çµ±èšããèŠãããšãã§ããŸã (ããšãã°ã
æ®å¿µãªãããããŸããŸãªãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ããå€ãã®å®è¡å¯èœãã¡ã€ã«ã«ã¯ãäŸç¶ãšããŠäžèšã®ä¿è·ãåãã£ãŠããŸããã ããšãã°ãUbuntu 18.04 ãèŠããšãngetty ãã€ã㪠(getty ã®ä»£æ¿å) ã®ã»ããmksh ããã³ lksh ã·ã§ã«ãpicolisp ã€ã³ã¿ãŒããªã¿ãnvidia-cuda-toolkit ããã±ãŒãž (GPU ã¢ã¯ã»ã©ã¬ãŒã·ã§ã³ ã¢ããªã±ãŒã·ã§ã³ã®äžè¬çãªããã±ãŒãž) ã«æ°ã¥ãã§ããããæ©æ¢°åŠç¿ãã¬ãŒã ã¯ãŒã¯ãªã©)ãããã³ klibc -utilsã åæ§ã«ãmandos-client ãã€ã㪠(æå·åããããã¡ã€ã« ã·ã¹ãã ã§ãã·ã³ãèªåçã«åèµ·åã§ãã管çããŒã«) ãš rsh-redone-client (rsh ãš rlogin ã®åå®è£ ) ã¯ãSUID æš©éãæã£ãŠããŸãããNX ä¿è·ãªãã§åºè·ãããŸãã (ãŸããããã€ãã® suid ãã€ããªã«ã¯ãã¹ã¿ã㯠ã«ããªã¢ (Xorg ããã±ãŒãžã® Xorg.wrap ãã€ããªãªã©) ãªã©ã®åºæ¬çãªä¿è·ããããŸããã
èŠçŽãšçµè«
ãã®èšäºã§ã¯ãææ°ã® Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã®ããã€ãã®ã»ãã¥ãªãã£æ©èœãåãäžããŸããã åæã®çµæãææ°ã® Ubuntu LTS ãã£ã¹ããªãã¥ãŒã·ã§ã³ (18.04) ã¯ãUbuntu 14.04ã12.04ãDebian 9 ãªã©ã®æ¯èŒçæ°ããã«ãŒãã«ãåãããã£ã¹ããªãã¥ãŒã·ã§ã³ã®äžã§ãå¹³åããŠæã匷å㪠OS ããã³ã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã®ä¿è·ãå®è£ ããŠããããšãããããŸããããã ãã調æ»ãããã£ã¹ããªãã¥ãŒã·ã§ã³ CentOSãRHELãããã³ç§ãã¡ã®ã»ããã® OpenSUSE ã¯ãããã©ã«ãã§ããé«å¯åºŠã®ããã±ãŒãž ã»ãããçæããææ°ããŒãžã§ã³ (CentOS ããã³ RHEL) ã§ã¯ãDebian ããŒã¹ã®ç«¶åä»ç€Ÿ (Debian ããã³ Ubuntu) ãšæ¯èŒããŠã¹ã¿ãã¯è¡çªä¿è·ã®å²åãé«ããªããŸãã CentOS ãš RedHat ã®ããŒãžã§ã³ãæ¯èŒãããšãããŒãžã§ã³ 6 ãã 7 ã§ã¯ã¹ã¿ã㯠ã«ããªã¢ãš RELRO ã®å®è£ ãå€§å¹ ã«æ¹åãããŠããããšãããããŸãããå¹³åãããšãCentOS ã«ã¯ RHEL ãããå€ãã®æ©èœãå®è£ ãããŠããŸãã äžè¬ã«ããã¹ãŠã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã¯ PIE ä¿è·ã«ç¹å¥ãªæ³šæãæãå¿ èŠããããŸããDebian 9 ãš Ubuntu 18.04 ãé€ããããŒã¿ã»ããå ã®ãã€ããªã® 10% æªæºã«å®è£ ãããŠããŸãã
æåŸã«ã調æ»ã¯æåã§å®æœããŸããããå©çšå¯èœãªã»ãã¥ãªã㣠ããŒã«ãå€æ°ããããšã«æ³šæããŠãã ãã (äŸ:
åºæïŒ habr.com