This is much more secure, and you are able to disable it. If you are using systems in public, then there is much more you need to disable such as removable media automounting etc, and would not use default settings anyway.

The current way of throwing blanket root access out for any system change is inherently less secure, their change aims to only allow signed package and that 1 specific action to occur.

Yes you could make a collision, but if you can’t trust your package sources, you can’t trust your system as a whole, so the entire idea is moot.

Related posts:

1. Stimulus package
2. What I am working on
3. Fedora Core 6

Being that I am writing posts this week about programming, and about my Fedora run down, thought people might find this interesting.

I wrote a little test code that fails on Ubuntu but works on Fedora 11 (based off lwn post):

#include <stdio.h>
#include <sys/mman.h>

int main(int argc, char **argv)
{
    // Try to write to memory location 0
    void *mem;
    mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);

    if(mem != NULL)
    {
        printf("Could not write to memory position 0\n");
    } else
    {
        printf("We can write to memory location 0\n");
    }

    sprintf((char *) mem, " This is a test\n");
    printf("Memory contents: %s\n", (char *)(mem + (sizeof(char))));
    return 0;
}

Fedora 11 results:

./a.out
We can write to memory location 0
Memory contents: This is a test

Ubuntu 9.04 results:

./a.out
Could not write to memory position 0
Segmentation fault

What does this mean?
As far as I can understand it, userspace programs segfault when trying to access data in the NULL (or 0) memory region. The kernel does not have this limitation. The author of the exploit said this is because GCC optimises out the null check. So if there is kernel code which references a pointer to 0, then you can have it run whatever you want. And in atleast 2.6.30, there is kernel code that does that.

Ubuntu does not let the userspace programs write to 0, but in F11 you can. Interesting stuff.

Related posts:

1. Why?
2. Python and real time graphical analysis
3. Programming using IOCTL to interface with Linux kernel drivers

• Fedora 11 SELinux by default: Cool but confusing
• Fedora 11 repositories: Better selection than previous releases, still not as many choices as Ubuntu
• Ubuntu still wins on the default menu organization for new users (just a bit easier to navigate)
• Fedora bootup vs. Ubuntu bootup is about a wash, they both look good and are fast
• Default themes: Neither will win a competition on looks, Linux Mint is much better looking than both
• Yum vs. Apt: Yum was fast, but a lot of 404′s on the repositories (which is more of an issue of Fedora’s mirror infrastructure)
• PPAs vs. ???: This is where Fedora appears (correct me if I am wrong) to have absolutely no answer to OpenSUSE and Ubuntu. In Ubuntu we can get up to date packages that were not yet officially released using PPAs. OpenSUSE users can download packages from the build service. Fedora really has nothing this fun (I am aware OpenSUSE can build Fedora packages, but the selection is not even close).
• Support: Fedora is a distro that is on the cutting edge. It will never compete in support, but this is intentional.
• Community: Ubuntu community is simply the biggest Linux community on the internet. Nobody is even in the same ball park. This also means that Ubuntu has much more “noise” than Fedora (ie people who contribute nothing and are generally factually inaccurate). Experts may like Fedora more because of the lack of this noise.

So if you are looking to try out Fedora, I don’t think you will gain or miss much. Personally I am going to put Ubuntu back on as I really love software from PPAs, and I love using apt just out of habit. But hope that helps someone who wonders what the differences are or what they are missing.

I have added a screenshot which is the default screen with Gnome-Do with docky theme, but this obviously works in Ubuntu also:

Related posts:

1. Haproxy packages
2. Fedora Core 6
3. Novell Linux Client on Ubuntu redux