Red Hat has released an updated advisory reporting the existence of multiple vulnerabilities in the Linux 2.4 kernel. Exploitation of these issues could expose sensitive information to local attackers, permit denial of service attacks or allow malicious local users to gain elevated privileges.
Multiple Linux 2.4 Kernel Vulnerabilities
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
They shouldn’t have copied buggy code man…
see what happens when you copy “corperate” code!
and yes, I’m being sarcastic…just a little
I fail to find this news on Slashdot .. wonder why.
I never did like how Security Focus explained things… according to the “what’s vulnerable” list, it only seems that earlier versions were affected on mostly all distros, while later versions aren’t affected at all — and on even less distros. I know some distros like RedHat and Mandrake include very functional kernels and often times apply various patches… thus, is it all 2.4 kernels or what?
Because it hasn’t been posted there yet. Give them some time maybe half a day and the news will be up.
Here’s a much more detailed list…
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-0…
Some of the bugs allow a user to read restricted information, but none appear to allow users to root the box.
I would welcome any comments if I am wrong. (The possibility of finding a password by length and keystroke timings on a local machine that someone is using an attached serial terminal with seems a rather unlikely event.)
As far as a local dos goes…. Another popular OS seems to do that quite well on it’s own, without requiring malicious attacks.
Glad to see them fixed before any exploits appear anyway.
It would all 2.4.X kernels from 2.4.0 to 2.4.21
They just seem to list the major distro releases that contain those kernels. If you are using say a downloaded 2.4.21 kernel it would still be vulnerable.
Try reading the help on that page about the + and – signs
I continue to believe the source of the problem is Linux’s rapid evolution, in which a number of features were haphazardly added to the kernel without a great deal of concern for the high-level design, simply to get them in place because they were being demanded. When the code is viewed retrospectively it can be seen to lack an overall high level design, in which case bad design decisions must be amended through a sequential process of refactoring. However, while refactoring may fix the high-level kernel design, bad design decisions and practices as well as fundamental design errors still remain in subtle aspects of how each particular mechanism is implemented.
Thus it becomes rather unfortunate that this was the kernel that was embraced by a rather (shall we say overly) vocal audience of individuals who were usually not coming from a Unix background but instead migrating from non-Unix operating systems is chosen as the “standard Unix operating system” by a number of enormous companies instead of one of the other kernels, which had already undergone decades of refactoring until the high level design was extremely elegant, and in fact all legacy code had been stripped from the codebase (this really happened during the release of BSD Lite; the USL lawsuit only resulted in a thorough audit of the code remove any remaining AT&T code that had previously been overlooked) and replaced with a more modern implementation.
While FreeBSD no longer shares a single line of code with the original Unix source (unless SCO has lead you to believe otherwise) it cannot be argued that it did not evolve from the Unix codebase, and that the work of thousands of minds over a period of more than three decades has effectively gone into it, and while whole components have been replaced (namely the VMM which was replaced with the VMM from Mach)most of the kernel features remain a decades mature implementation.
I’m sorry to try to derail this thread but I just have a considerable amount of respect for the elegance of the FreeBSD kernel, and information like this tends to get shoveled over by the Linux zealots, just like when they shoveled over the horrible bugs in the 2.4 VMM which caused Linus to change VMMs midstream.
Yes, I realize the Linux 2.6 kernel is undergoing considerable refactoring and regression testing. What will this result in? Well, it’s tough to say considering many people still can’t boot it at this point. We’ll have to wait for a release before we can really judge how much 2.6 has improved overall kernel design and stability. Thus far, things aren’t looking very good…
All OS will have this, just many refuse to accept that certain ones can have the same problems as others.
Slashdot will post it late at night so the morning stories will push it out so no one sees it. But anyways, this is OSNEWS, not slashdot, who cares. OSnews put out the word on something that is important to many and people can now adjust like anyone with other os’s would. Just now people can do some inverted trollin for a bit
, though thats not polite. And will probably bring forth modding.
highest buzzword per word ratio I have ever seen
http://www.linuxsecurity.com/advisories/index.html
In the words of Sean Connery: “LINUX = Linux Is Not Xecure” 😀
and they appear to be relatively minor. No real showstoppers, especially compared to some of the things I’ve seen listed in Microsoft’s list of fixes for their various service packs.
I’m not trying to gloss over Linux’s shortcomings but this story is hardly a case for slamming the Penguin.
And, to take a shot at Bascule’s praise of FreeBSD, I’ve used several versions of it and found it to be a solid OS but, while BSD zealots love to tout its NFS capabilities and VM, nothing is ever said of the abysmal threading that is only now being addressed.
So, every system has its strong and weak points but frankly, it doesn’t look like any of the OpenSource OSes are progressing as quickly as Linux.
So yesterday (the 23rd) MS has a bunch of vulns and its posted here, then we see everyone trash MS in the threads, so I guess we’ll just go back a few days (21st) and post a local linux flaw to put those damn zealots in their place!
It’s still news I know, but this was disclosed Monday, why post it now, if not to rile things up a bit.
Also to androo, I don’t think it will go on slashdot unless its a remote vulnerability. Like when sendmail,apache stuff is usually posted.
Yes, like FreeBSD doesn’t have it’s own share of vulnerabilities. The BSD kernel has been in development for over 30 years and yet it’s still on the same playing level with any other OS in the market. That’s a horrible track record. I can forgive MAC. I can forgive Windows. And I can forgive Linux. But *BSDs have no excuse, it should be inherrently better and secure.
The point is not whether both FreeBSD or Linux is solid or not. They are both solid, and hardly better than each other. The issue is what is the future potential for any of them. I’m afraid to say, but as at to today Linux’ future potential looks way better. And if history keeps repeating itself, 5 years from now Linux will be better. After all you gave Linux a decade to catch up, let’s give it another decade and see where both will be. Personally, based on the annals I have available, Linux is likely to be milestones ahead of FreeBSD in another decade, but ofcourse, I’m not a prophet and it is highly likely that I’m wrong.
As far I’m concerned , these security vulnerabilities are not fatal. I expect to see a lot of FreeBSD and Windows zealots flocking in here and having a filled day with this news.
Regards,
Mystilleef
So now they have to bug track two different systems…
Meanwhile Microsoft is still running Linux for serious work
and nobody wonders why?
http://uptime.netcraft.com/up/graph/?host=a100.ms.a.microsoft.com
If someone else has access to your system then it is not your system anymore
> Yes, like FreeBSD doesn’t have it’s own share of vulnerabilities. The
> BSD kernel has been in development for over 30 years and yet it’s still
> on the same playing level with any other OS in the market. That’s a
> horrible track record. I can forgive MAC. I can forgive Windows. And I
> can forgive Linux. But *BSDs have no excuse, it should be inherrently
> better and secure.
No, FreeBSD has only been in development since the early 90s, followed closely by NetBSD which forked OpenBSD several years later. So what you say is incorrect, the *BSDs didn’t have a time advantage at all. Unless you are referring to the old AT&T code that wasn’t developed much at all beyond the early eighties (except bugfixes, slight api changes).
As for being better. How do you define better. Many DO believe FreeBSD to be superior as a server OS to Linux as do I. OpenBSD has Linux beat for security by far. Also, I don’t see as many security patches for the FreeBSD base system as I do for Linux’s kernel and the GNU tools.
>As for being better. How do you define better. Many DO >believe FreeBSD to be superior as a server OS to Linux as >do I. OpenBSD has Linux beat for security by far. Also, I >don’t see as many security patches for the FreeBSD base >system as I do for Linux’s kernel and the GNU tools.
Again, it depends. FreeBSD has the edge in the VM and NFS, also, possibly, in the default security settings. Linux leads in multithreading, SMP and hardware support.
real users use linux 2.6.0test1 🙂
i’ve been running linux 2.6.0-test1 since it came out and it is pretty smooth, any “feels smooth” advantage FreeBSD had is now gone. also there is a new security type in lx2.6, it’s going to be role-based and won’t have a superuser per se. the thing that got me about FBSD is that people try to use it as an end all be all. linux seems more fitting since you can use it for literally anything. there are patches that trade off throughput for responsiveness and vice versa. you can tune it to your needs thereby making it the best tool for the job. everything about this upcoming kernel is just k-rad! also all the little things like ALSA just rule.
a’ight, have fun. 8)
Bannor99 said:
And, to take a shot at Bascule’s praise of FreeBSD, I’ve used several versions of it and found it to be a solid OS but, while BSD zealots love to tout its NFS capabilities and VM, nothing is ever said of the abysmal threading that is only now being addressed.
The same is also true for Linux. Please do not tell me that representing a thread as a process is a lot better than the prior to KSE support of threads in FreeBSD. Both threading implementations were just workarounds and hacks. Only now the Linux is gaining some good threading support thanks to NPTL. The same is also true for FreeBSD with two thread implementations (1-1 as in NPTL and M-N).
Cheers
Stelios
Speaking technically, FreeBSD, NetBSD, OpenBSD and the latest ones, all derive from 386BSD, which was derived from the unencumbered Net/2 BSD release. Which was derived from 4.3BSD and that through a long line of development, from AT&T Unix Seventh Edition – which incidetally contained more than a few bug-fixes, etc, from the UC @ Berkeley’s CSRG.
I think it was with the DARPA TCP/IP stack that BSD really took off as an independent distro of Unix, and indeed, BSD source code was the engine for most of the Unix and workstation start-ups in Silicon Valley.
So as far as maturity of source goes, *BSD wins hands down over Linux. (I am a Linux user, and with any luck, a Linux developer. I am not a Linux bigot.) But on the other hand, Linux has been worked on by a larger crowd, it has been allowed to be more open, and it has been fitted into more niches than any other comparable operating system to the best of my knowledge.
FreeBSD has been aimed at the x86 market since it was forked off; Linux has been adapted for many more processors than that.
It’s a bit like comparing oranges and apples.
Did you ever consider the reasons Linux took off where FreeBSD did not? Take a look at the way the respective projects are organized and led sometime.
Did you ever consider the reasons Linux took off where FreeBSD did not? Take a look at the way the respective projects are organized and led sometime.
It was because of the USL lawsuit against Berkeley. Nothing with project organization at all.
No, FreeBSD has only been in development since the early 90s, followed closely by NetBSD which forked OpenBSD several years later. So what you say is incorrect, the *BSDs didn’t have a time advantage at all. Unless you are referring to the old AT&T code that wasn’t developed much at all beyond the early eighties (except bugfixes, slight api changes).
You sound as if FreeBSD was written from the scratch like Linux was, and it wasn’t a fork from it’s older cousins. I don’t knwo what point you’re trying to prove but the follohe followng link should lay your misconceptions to rest. Let’s revisit history.
http://www.oreilly.com/catalog/opensources/book/kirkmck.html
The Berkeley Software Distribution has been around since the late 70s. That is approximately 30 years, and well over 20 years of existence. The *BSDs as it is today, had experience, a good head start and reminants of AT&T code to their advantage. The *BSDs should be inherentely better than Linux. Unfortunately, as at today, no evidence suggest so, just hearsay and word of mouth.
Many DO believe FreeBSD to be superior as a server OS to Linux as do I.
I’d gladly agree if they presented facts other than ‘my favorite Unix-like flavor operating system is better than yours’ debates. How is FreeBSD a more superior server operating system than Linux is? It’s not as portable as Linux is. It’s doesn’t scale as well as Linux does. It doesn’t display a better threading capability to Linux. It doesn’t have as much hardware to support it and as Linux does. So how FreeBSD is a better server operating system than Linux is, continues to perplex me.
OpenBSD has Linux beat for security by far
I heard that too. But again I need facts and proof, not empty statements. If security is a major your vanilla flavor Linux with selinux patches, or grsecurity patches, is more than enough for anyone. If I wanted to I could yank up the security of my Linux box to NSA standards, but I have no need to and I am not yet a security expert.
Also, I don’t see as many security patches for the FreeBSD base system as I do for Linux’s kernel and the GNU tools.
Yes, because it is not as extensively tested and used as Linux is. I bet if you had more users, developers and coporate auditors, you’d find as many security vulnerability in FreeBSD as in Linux. Good point though.
Regards,
Mystilleef
It should be :
RED HAT : Multiple Linux 2.4 Kernel Vulnerabilities
Other distro are most likely not affected. Wait and see… =)
Bye bye uptime.
OpenBSD has Linux beat for security by far.
I heard that too. But again I need facts and proof not empty statements. If security is a major concern of yours, the vanilla flavor of Linux kernel with selinux patches, or grsecurity patches, is more than enough for anyone interested in an ultra secure system. If I wanted to I could yank up the security of my Linux box to NSA standards, but I have no need to and I am not yet a security expert.
<p>I have a new motto for OS News, considering the linked page has no details:<p>
<p>OS News, Exploring the FUD on Linux</p>
I’m not sure if I should really feed the trolls but here goes.
This is my first time posting here so be gentle.
“The BSD kernel has been in development for over 30 years and yet it’s still on the same playing level with any other OS in the market. That’s a horrible track record…But *BSDs have no excuse, it should be inherrently better and secure.”
No actually, developers back in the day were nowhere near as security concious as the developers you will meet developing these various new operating systems now. I would still expect it to have bugs floating around, and I am sure they will be uncovered, this is after all the age of the Internet, we’re not talking academic LAN’s here. If time made all things right, then why are we still using protocols such as SMTP/POP3/FTP. Also, why isn’t sendmail the most secure MTA on the market?
“It doesn’t display a better threading capability to Linux. It doesn’t have as much hardware to support it and as Linux does. So how FreeBSD is a better server operating system than Linux is, continues to perplex me.”
Windows 2000/2003 probably has better threading and hardware support than Linux does, and Win98/ME probably have better hardware support than either of those two either. Yet I do not believe for an instant anyone on this board would vouch for using them.
“Other distro are most likely not affected.”
Most likely? Why didn’t you just read the advisory for yourself to find out?
Many distributions are mentioned besides RedHat: Debian, Slackware, Mandrake, Caldera, SuSE…
RTFA!
Security must be designed in, not added on or patched in.
Security must be considered more important than functionality or speed or time-to-market. Security must be maintained, not just designed in at the begining. Security must be audited by a third party whose security analysis skills are at least equal to those of the code writers.
Security is very very expensive. The product will be very very expensive.
The product will lag the market in functionality and must of necessity, lack some functionality in the interest of security.
Documenting the security architecture of the product will take as much work as writing the code.
Testing the code for security will take twice the time as writing the code.
No Linux distro and certainly no MS product even aspires to meet the strict security proof requirements of the Common Criteria at the higher levels (EAL-6 and above). They can only ever meet the EAL-4 requirements which are basically “document what you do”.
1) FreeBSD since 4.8 was released has actually had VERY little number of vulnerabilities. Contra to alot of peoples opinion, the *BSDs hold their own quite nicely.
2) These problems in Linux are only going to get worse as the project becomes more popular and more features are added in an adhoc mannor. When you go from a few thousand to a few million lines of code, you need the adequate documentation and design in place.
Lets look at threading, one COULD simply implement a fast solution to address the solution now, however, one could also design a much more broadbased solution that not only addresses the issues now but any future issues that may crop up.
This is where FreeBSD has its advantages, it is a more structured organisation in which the development process is more like a software company. Design a solution, test that design then implement it, oh, and actually DOCUMENT the feature rather than doing what happens in Linux when a person realises that it would be nice to have documentation for a particular feature. An example would be, finally, a document that describes the Linux VMM. What did it take so long for something that SHOULD HAVE BEEN written DURING the design and development phase.
3) Software development out of pure hatred of another product or a piece of technology is the breeding ground for an inferior product. Lets look at Windows NT. It was developed out of a pure hatred of UNIX and headed by a disgruntled employee from Digital.
Where has this left Microsoft? well, ten years later and the product is STILL riddled with bugs and security issues. This is a company with $49.8billion in their bank and tens of thousands of programmers world wide, you honestly can’t tell me that they are under resourced. They have the cash there, however, Microsoft doesn’t want to fix up the fundamental flaws with the system, they would much rather patch and code around the issues in the hope that those issues will be forgotten.
For example, the shatter attack has been known by Microsoft for years, even before the story hit the tech publications, however, they have done nothing about fixing it. Why? because it would mean declaring their dogma driven product is pooly designed from the ground up and needs to be replace, possibly with a 20 year old piece of technology centred either around BSD or UNIX.
MacOS X and BSD have PROVEN that you can produce quality product with out the need to speed 6-7billion a year. SUN is another example of a company with an operating system who can deliver a quality product without the need to spend billion each on it.
4) The operating system must be easy to use, both for the programmer and the end user. What is the point of having a great operating system that is extremely hard to programme for? what is the point of having an operating system with no coherient GUI?
5) Java has been improving and the only two things I have heard so far in regards to a pro .net argument are:
– Faster GUI
– Pointers
– Use less memory
The GUI is already being addressed, JRE/JDK 1.4.2 has proven that swing can be a responsive interface, it just needs to be tuned a little more. Regarding pointers, why? if you want to do mathematical calculations then use Fortran. In terms of memory usage, yes, Java NOW uses a fair amount of memory, however, with that being said, the issue is actually being addressed BUT instead of a hap-hazard development process, SUN is taking their time to ensure that they get it right.
6) People who work in the IT industry need to realise that the end user uses a computer as a tool. Most end users have no desire to know any more than what is required. This is where Apple does do well, it listens to the customer. Microsoft solution is building large and bloated wizards and *NIX simply adds more features which results in more complicaitons.
At the end of the day, a computer is mearly a device to get work done and the operating system mearly provides an abstraction layer for the user to interact with the computer. Instead of creating a “OS War”, concerntrate on producing the best operating system. This drive for development should not be done out of competition or hatred but simply for a drive for perfection.
What’s your point?
The aim of Linux (and even the win32 kernels) has never been to be used in highly critical systems.
I don’t say that security isn’t important, I just say that nobody ever said that linux was meeting the EAL-6 requirements. This certification is also a story of “big money”, otherwise how do you explain that windows 2000 is EAL-4 and linux is only eal-2?
Moreover, every one concerned by security problems (like sys-admins…) should register to bugtraqs, or other security report mailing lists so there is no need to post news for every security report, except if you want to start trolls.
i’ve been running linux 2.6.0-test1 since it came out and it is pretty smooth, any “feels smooth” advantage FreeBSD had is now gone. also there is a new security type in lx2.6, it’s going to be role-based and won’t have a superuser per se. the thing that got me about FBSD is that people try to use it as an end all be all. linux seems more fitting since you can use it for literally anything.
From what I hear you saying I don’t really understand why you would use Linux at all? It feels as smooth as BSD, so if that’s appreciated why not use BSD????
Can use for almost anything? Ehrm, BSDs ARE used in embedded systems quite a lot. It’s as scalable as you want it to be
5 years from now Linux will be better.
Personally, based on the annals I have available, Linux is likely to be milestones ahead of FreeBSD in another decade
This is a classic sentence. Now why have I heard the very same sentence for the last 5 years??? If Linux start to be innovative and skip cloning *cough* eg. Mono *cough* they might be. But as far as I can see, Linux will allways stay 5 years behind as they allways have… cloning just ain’t what it’s about.
Concerning security and pretty much all being the same. I suggest you find Theo de Raadt and talk to him about it, I’m quite sure he could give you some pointers…. and if that name doesn’t ring any bell, I do suggest you look it up on Google, or why not just head over to http://www.openbsd.org
Riight, do you know where MS got the windows API? CLONING *COUGH* yet you claim that “cloning just ain’t what it’s about”. LOL
How does Mono have anything to do with Linux? As far as I know it will run on any operating system.
CooCooCaChoo I don’t know how .NET got into this thread. But you MUST have seen one of my previous posts about why .NET is cool.
First let me post something on topic.
There are so many things related to stability and scalability that FreeBSD does better than Linux. Let me give examples of why FreeBSD makes a better server.
I was in an undergraduate class on Unix programming. We were asked to code a concurrent (fork) program where the children worked with a bunch of files. It turned out that the professor gave us some buggy starter code which did not close file handles. Since the class was big, you could imagine that the system’s file handles quickly ran out.
I was developing on FreeBSD at home. The system quickly detected the problem and started spewing no more file handle messages. However, I could still log in and no other programs were affected.
The students working on a Linux server were not as fortunate. The system ran out of file handles there as well, but the file handeles were *system wide*. No one could log in (no file handeles) and services started failing. The admin of the undergraduate computers said he had to reboot the Linux box multiple times a day.
In another example, a Linux system was used to run a very large web server. The server was having serious load troubles though, and so stopped accepting new users (it was a message board). A freind of mine got the admin to switch to FreeBSD, 4.x series even (yes poor SMP compared to Linux) and suddenly the server had no problems handling the heavy load. The system was always responsive and the admin started accepting new accounts again.
As many have said here already, FreeBSD is better due to it’s design process. Happy hippies in their basements doing haphazard undocumented code development does not make for a system that I have a lot of confidence in.
Now let me attack your .NET retoric CooCooCaChoo.
These are the pro .NET arguments you’ve heard. First let me say they suck. And they are also all about C#, only a part of .NET.
– Faster GUI
Which GUI? Windows Forms? GTK#? Are we comparing to Swing? Or Java’s GTK bindings as used in Eclipse? This point is not relevant.
– Pointers
Cute, but the code is still managed. It *may* reduce the indirection due to abstractions though. Not a bad feature, but not anything spetacular either.
– Use less memory
I haven’t even heard this one. I don’t see anything either Java or C# that would support this really.
Ok, now here are some REAL pro .NET/C# points.
1) Concurrency
Java has a really really poor concurrency system. This has both to do with how threads, monitors, and the class libraries are designed. It’s actually a very well known weakness of Java.
C# has a much better concurrency system. The class libraries are also very well docuemented with regards to thread saftey.
2) Designed for speed from the bottom up.
The .NET system and C# have been designed such that optimisations can be applied easier. They are also designed from the start to be run in a JIT, rather than as bytecode. Java was designed to run as both bytecode and through a JIT, but the JIT part was not focuessed on as much.
This is a really neat idea, designing a language such that it is easily optimisable. Often optimisations are thought of after the fact.
3) C# exposes the underlying system.
It’s funny, this is usually touted as a weakness by pro Java people around here. C# and .NET *were not designed to be portable without changes*. The .NET motto is not write once run everywhere. That said, they did want it to be relativly easy to port programs if desired.
By exposing the underlying system more, C# can easily make use of external libaries (GTK, Gnome libraries, Windows GUI, etc). While this is also possible in Java, it’s no where near as easy. This makes C# usable as a default language that can integrate into whichever envirionment you want. I can make a Gnome program in C#, or a Windows program in C#. They won’t be compatible without changes, but they *will* be integrated. Integration is still extremely important.
Now related to the .NET runtime (CLR) rather than C#.
4) The CLR provides library management. It uses a system simlar to Mac OS X where libraries are explicitly versioned and cached. Each program carries any non-default libraries along with it.
5) Programs store all related application data including libraries in the executable file. Thing of this basically as an app folder design. The Linux people here will no doubt claim that app folders are not good. They have been proven to work and cause systems to be easier to manage in both Mac OS X and Windows, which currently follows a similar one folder per appication model. The .NET system is an evolution of this.
6) Signed programs. This is a little fuzzier, but basically programs can be either signed or unsigned. Signed programs have been explicitly checked by the compiler for things like buffer overflows, and defreferencing NULLs. Unsigned programs are ones which are not garunteed to be crash safe. You can run both, but you are also told if you are running an unsigned program. I’m not sure on the details of how this works (could you somehow sign a safe program?) but it’s still a neat idea.
So, .NET *is* better. Oh, I also don’t know if Java has EMCA or ISO certification, .NET does and so does C#. For those that don’t know, this means that MS cannot charge people for implmenting the standards (Mono) and also makes it unlikely that they will introduce incompatibilities. They would be breaking their OWN standard that they worked hard to get.
And, to take a shot at Bascule’s praise of FreeBSD, I’ve used several versions of it and found it to be a solid OS but, while BSD zealots love to tout its NFS capabilities and VM, nothing is ever said of the abysmal threading that is only now being addressed.
Well, it’s already been mentioned, but Linux’s clone()-based threads implementation was pitiful as well, and that is also only “now” being addressed with things like NPTL.
In terms of threading support, FreeBSD is only lagging about 6 months behind Linux. Since you claim that FreeBSD is only “now” addressing the issue I’ll just assume you’re a little bit behind on the times, and aren’t aware that FreeBSD KSE support is near complete, and will be complete by FreeBSD 5.2:
http://www.freebsd.org/kse/#status.kernel
If you really wanted to rant against FreeBSD perhaps you could’ve picked something that wasn’t a major area of contention in Linux as well, such as NUMA support.
If someone else has access to your system then it is not your system anymore
This is certainly the Microsoft philosophy, but hasn’t been the Unix philosophy for quite some time. This is what things like permissions and access controls for.
Now, that isn’t to say that the kernel design is perfect and these access controls can’t be circumvented, perhaps most notably in the ptrace race condition in the Linux kernel which was discovered in March. Some of you may remember that this is the second such ptrace related vulnerability found in the Linux kernel, with the original being found in 2001:
http://www.sfu.ca/~siegert/linux-security/msg00078.html
To be fair, a similar vulnerability was also found in OpenBSD in 2001 as well:
http://www.guninski.com/openbsdrace.html
However, these notable exceptions aside just because someone has access to a system should not mean that they have total control.
I can’t believe it, flaws in Linux? Surely this can’t be true, every Linux user I speak to says that Linux is the most bug free, stable, fastest, pretiest, etc OS ever written?