Date: Thu, 12 Apr 2012 13:22:30 +0000
From: Mark Krenz <mark@...o.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Most Linux distributions don't use tmpfs nor
 encrypt swap by default


 Hello. After posting the flaw with libvte's handling of the scrollback
buffer (writing it to disk), there were several people who made the
erroneous claim that most distributions of Linux use tmpfs now and
encrypt swap and that this shouldn't be an issue.

 Because these claims attempted to diminish the importance of the flaw
for many, I installed most of the popular distributions of Linux as well
as some of the BSDs for comparison to see what their default setup was
after installation. I have found that of the 35+ distribution versions
that I tested, only the latest Arch Linux puts /tmp on tmpfs by default
and the only other distributions that show it as an option during
installation are Mageia or PC Linux OS.  So the libvte flaw indeed is a
widespread problem.

I've documented the results at:

 http://www.climagic.org/bugreports/libvte-flaw-distro-defaults-chart.html


You can view the libvte bug report here:

 http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html


Extra Note: I'm not suggesting that everyone put their /tmp on tmpfs
and/or start using encrypted filesystem. There are other considerations
which I talk about in the document above.


-- 
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
 
Sent from Mutt using Linux

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists