The random-PID FAQ

Some questions just keep popping up all the time, so I decided to write a FAQ.

Isn't your patch just introducing security trough obscurity?

Q:
> It was rejected because Alan Cox (and others) felt it only provided
> security through obscurity.
A:
Yeah, well, yeah. My patch wasn't actually ment to be included in the main-
kernel. I agree with the security-by-obscurity argument altough I think it's
_not ALWAYS_ a bad thing.
What I am trying to say is: I agree that sofware should be written so that
they can't be exploited in one way or another. But since software is written
by humans, it's likely that bugs stay always in. Furthermore; it's always
possible that in the future new exploits are invented which exploit things
the original programmer didn't think of, and also; new libcs might have
security-problems which affect your software. To prevent that your system
gets cracked by some script-kiddie, I found it a good thing to patch the
mainstream-kernel with patches that disable executable stacks, make the
/proc filesystem more restricted, etc. etc. And in my quest for creating a
secure-as-possible system which anticipates on future exploits I found that
using random PIDs is a good thing.

Are you the first one to write such a patch?

A:
No, I'm not. I didn't know of the other patch before I wrote a message
to LKM. In my opinion my patch deserves also the right to live (;0]) since
it's way less bloated then the other. The other is much more flexible,
though, which might be a Good Thing(TM) sometimes.
The other patch
Discussion on this patch



feedback