Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 1 articles for you...
67
security updateOpenSSHprivilege separationOpenSSH 5.9: SHA256 HMAC, Sandboxing, And Security Enhancements
The OpenSSH development team has announced the release of version 5.9 of its open source SSH (Secure Shell) implementation. Compared to the OpenSSH 5.8 release from 7 months ago, which was primarily a security update, the latest update includes a wider variety of changes including the addition of new SHA256-based HMAC (Hash-based Message Authentication Code) transport integrity modes.. To prevent a compromised privsep (privilege separation) child from being used to attack other hosts, sandboxing has been introduced through an optional mode that enables mandatory restrictions on the system calls (syscalls) which the privsep child can perform. The developers note that the sandboxing of the privsep child process is "currently experimental but should become the default in a future release". The link for this article located at H Security is no longer available. . In OpenSSH 5.9, mitigating risks from a compromised privsep child is essential; using SHA256 checksums and enhanced sandboxing significantly improves security. OpenSSH, SHA256, Secure Shell, sandboxing, privilege separation. . LinuxSecurity.com Team
Sep 06, 2011
•
Cryptography
79
access controlapplication securitydevelopmentEnhancing Application Security via Privman Library and Privilege Separation
Douglas Kilpatrick sent in a note about a new open source project going on at Network Associates. "Privman is a library that makes it easy for programs to use privilege separation, a technique that prevents the leak or misuse of privilege from applications that must run with some elevated permissions. Applications that use the Privman library split into two halves, the half that performs valid privileged operations, and the half that contains the application's logic. The Privman library simplifies the otherwise complex task of separating the application, protecting the system from compromise if an error in the application logic is found.. . .. Douglas Kilpatrick sent in a note about a new open source project going on at Network Associates. "Privman is a library that makes it easy for programs to use privilege separation, a technique that prevents the leak or misuse of privilege from applications that must run with some elevated permissions. Applications that use the Privman library split into two halves, the half that performs valid privileged operations, and the half that contains the application's logic. The Privman library simplifies the otherwise complex task of separating the application, protecting the system from compromise if an error in the application logic is found. The library uses configuration files to provide fine-grained access control for the privileged operations, limiting exposure in even of an attack against the application. When the application is compromised, the attacker gains only the privileges of an unprivileged user and the specific privileges granted to the application by the application's Privman configuration file. Current Status The most recent version of Privman is 0.8.4. The Privman libraries should be considered developmental, and parts of the API are likely to change. We are interested in any feedback, bug fixes, or requests for functionality. We are particularly interested in features that make it easier to modify existing software to use the Privman library. ThePrivman API should be sufficient for most applications. We have successfully patched WU-FTPD to use Privman, as well as THTTPD. The link for this article located at NAI is no longer available. . Explore how Privman streamlines privilege isolation to bolster application safety and optimize access management.. Privman, Privilege Separation, Access Control, Open Source Project. . LinuxSecurity.com Team
Oct 17, 2002
•
Security Projects
67
OpenSSHupdatesprivilege separationOpenSSH 3.5 Release: Enhanced Security Protocols And Features
OpenSSH 3.5 has just been released. It will be available from the mirrors listed at https://www.openssh.org/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement.. . .. OpenSSH 3.5 has just been released. It will be available from the mirrors listed at https://www.openssh.org/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. From: Markus Friedl To:
Oct 15, 2002
•
Cryptography
67
security advisorysecurity issueupdateOpenSSH 3.3 Critical Update: Privilege Separation Improves Security
In an email addressed to many in the security community today, including LinuxSecurity, Theo de Raadt, lead developer for OpenBSD and OpenSSH, announced an OpenSSH vulnerability. The details of the vulnerability have not yet been made public, but has acknowledged that it is remotely exploitable. Included below are details on what Linux users can do to mitigate the risks until vendors release their updated versions.. . .. In an email addressed to many in the security community today, including LinuxSecurity, Theo de Raadt, lead developer for OpenBSD and OpenSSH, announced an OpenSSH vulnerability. The details of the vulnerability have not yet been made public, but has acknowledged that it is remotely exploitable. Included below are details on what Linux users can do to mitigate the risks until vendors release their updated versions. Subject: Upcoming OpenSSH vulnerability Date: Mon, 24 Jun 2002 15:00:10 -0600 From: Theo de Raadt There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week. However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited. OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches. However, everyone should update to OpenSSH 3.3 immediately, and enable priv seperation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file: UsePrivilegeSeparation yes Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand? 3.3 does not contain a fix for this upcoming bug. If priv seperation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developersare swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us. Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack. We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny). HP's representative was downright rude, but that is OK because Compaq is retiring him. Except for Solar Designer, I think none of them has helped the OpenSSH portable developers make privsep work better on their systems. Apparently Solar Designer is the only person who understands the need for this stuff. So, if vendors would JUMP and get it working better, and send us patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports these systems better. So send patches by Thursday night please. Then on Tuesday or Wednesday the complete bug report with patches (and exploits soon after I am sure) will hit BUGTRAQ. Let me repeat: even if the bug exists in a privsep'd sshd, it is not exploitable. Clearly we cannot yet publish what the bug is, or provide anyone with the real patch, but we can try to get maximum deployement of privsep, and therefore make it hurt less when the problem is published. So please push your vendor to get us maximally working privsep patches as soon as possible! We've given most vendors since Friday last week untilThursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published). Customers can judge their vendors by how they respond to this issue. OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On OpenBSD privsep works flawlessly, and I have reports that is also true on NetBSD. All other systems appear to have minor or major weaknesses when this code is running. . In an email addressed to many in the security community today, including LinuxSecurity, Theo de Raad. email, addressed, security, community, today, linuxsecurity. . LinuxSecurity.com Team
Jun 24, 2002
•
Cryptography
67
updatesecurity featureopensshOpenSSH 3.3 Enhancements: Privilege Separation And Deprecated Options
Significant changes in this version include improved support for privilege separation, ssh no longer needs to be installed setuid root for protocol version 2 hostbased authentication, and the client options FallBackToRsh and UseRsh are deprecated.. . .. Significant changes in this version include improved support for privilege separation, ssh no longer needs to be installed setuid root for protocol version 2 hostbased authentication, and the client options FallBackToRsh and UseRsh are deprecated. Date: Fri, 21 Jun 2002 21:50:59 +0200 From: Markus Friedl To:
Jun 21, 2002
•
Cryptography
67
access controlsecurity enhancementprocess managementAchieving Robust Security through Full Privilege Separation in OpenSSH
The goal of this work is complete privilege separation within in OpenSSH. Privilege separation uses two processes: The privileged parent process that monitors the progress of the unprivileged child process. The child process is unprivileged and the only process that processes . . . . The goal of this work is complete privilege separation within in OpenSSH. Privilege separation uses two processes: The privileged parent process that monitors the progress of the unprivileged child process. The child process is unprivileged and the only process that processes network data. The privileged parent can be modelled by a very small finite-state machine so that it is easy to reason about the code that is being executed with privileges. A well defined interface between privileged parent and unprivileged child allows the child to delegate operations that require privileges to the parent. Successful authentication is determined by the parent process. . The goal of this work is complete privilege separation within in OpenSSH. Privilege separation uses . privilege, separation, complete, within, openssh. . LinuxSecurity.com Team
Mar 18, 2002
•
Cryptography
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More