Branch 'f12' - en-US/Boot.xml en-US/Security.xml

Rüdiger Landmann rlandmann at fedoraproject.org
Mon Sep 14 00:57:30 UTC 2009 

 en-US/Boot.xml     |   29 +++++++++++++++++++++++++++++
 en-US/Security.xml |   20 ++++++++++++++++++++
 2 files changed, 49 insertions(+)

New commits:
commit b02525f33095d1447509038d861ceb6a1be26eb9
Author: Ruediger Landmann <r.landmann at redhat.com>
Date:   Mon Sep 14 10:56:47 2009 +1000

    Boot and Security

diff --git a/en-US/Boot.xml b/en-US/Boot.xml
index 5165314..726b38b 100644
--- a/en-US/Boot.xml
+++ b/en-US/Boot.xml
@@ -5,6 +5,35 @@
 <section id="sect-Release_Notes-Fedora_12_Boot_Time">
 	<title>Fedora 12 Boot Time</title>
 	<remark>This beat is located here: <ulink type="http" url="https://fedoraproject.org/wiki/Docs/Beats/Boot">https://fedoraproject.org/wiki/Docs/Beats/Boot</ulink></remark>
+	
+	<section id="sect-Release_Notes-Fedora_12_Boot_Time-ext4">
+		<title>GRUB with ext4 support</title>
+
+		<para>
+			Fedora 9 originally included experimental support for ext4 and Fedora 11 included ext4 by default. However, <application>GRUB</application> in that version did not support ext4 and hence required a separate boot partition formatted as ext3 or ext2. Fedora 12 now includes a updated version of <application>GRUB</application> with ext4 support. <application>Anaconda</application> (the Fedora installer) will permit this as well.
+		</para>
+	</section>
+
+	<section id="sect-Release_Notes-Fedora_12_Boot_Time-Dracut">
+		<title>Dracut — new booting system</title>
+
+		<para>
+			Up until Fedora 10, the boot system (<firstterm>initial ram disk</firstterm> or <firstterm>initrd</firstterm>) used to boot Fedora was monolithic, very distribution-specific and did not provide much flexibility. This will be replaced with <application>Dracut</application>, an initial ram disk with an event-based framework designed to be distribution-independent. It has been also adopted by the Fedora-derived OLPC project's XO operating system. OLPC modules for <application>Dracut</application> are available in the Fedora repository. Early feedback and testing is welcome.
+		</para>
+	</section>
+
+	<section id="sect-Release_Notes-Fedora_12_Boot_Time-KMS">
+		<title>Faster and smoother graphical startup</title>
+
+		<para>
+			<firstterm>Kernel Mode Setting</firstterm> (KMS) is now enabled by default on NVIDIA systems as well, through the <application>Nouveau</application> driver. Fedora 10 originally included support for KMS, but only for some ATI display cards. In Fedora 11, this was extended to Intel cards as well. This release has extended it further to support NVIDIA cards as well.
+		</para>
+
+		<para>
+			As as result of this improvement, you will get a faster and smoother graphical boot on nearly all systems, via the <application>plymouth</application> graphical boot system developed within Fedora.
+		</para>
+	</section>
+
 </section>
 
 
diff --git a/en-US/Security.xml b/en-US/Security.xml
index 745b9a5..daa0a5a 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -9,6 +9,26 @@
 		This section highlights various security items from Fedora.
 	</para>
 	
+	
+	<section id="sect-Release_Notes-Security-Lower_process_capabilities">
+		<title>Lower process capabilities</title>
+		<para>
+			Daemons running as root have been reviewed and patched to run with lower process capabilities. This reduces the desirability of using these daemons for privilege escalation. Additionally, the shadow file permissions have been changed to <literal>000</literal> and several directories in <filename>$PATH</filename> have been set to <literal>555</literal> in order to prevent daemons without <literal>DAC_OVERRIDE</literal> from being able to access the shadow file or write to the <filename>$PATH</filename> directories.
+		</para>
+
+		<para>
+			When someone attacks a system, they normally can not do much unless they can escalate privileges. This feature reduces the number of attack targets that can be used to escalate privileges. If root processes do not have all capabilities, they will be harder to use to subvert the system.
+		</para>
+
+		<para>
+			Processes with the root uid can still damage a system, because they can write to nearly any file and of course read the <filename>/etc/shadow file</filename>. However, if the system is hardened so that root requires the <literal>DAC_OVERRIDE</literal> capability, then only a limited number of processes can damage the system. This will not affect any admin abilities because they always get full privileges which includes <literal>DAC_OVERRIDE</literal>. Therefore, even if someone does successfully attack a root process, it is now harder for them to take advantage of this attack. 
+		</para>
+
+		<para>
+			A hardened system would have permissions like: <literal>555</literal> <filename>/bin</filename>, <literal>555</literal> <filename>/lib</filename>, <literal>000</literal> <filename>/etc/shadow</filename> and so on. The current scope is to cover the directories in <filename>$PATH</filename> variable, library dirs, <filename>/boot</filename>, and <filename>/root</filename>. This scheme does not affect SELinux in any way and complements it since capabilities are DAC controls and they have first vote on allowing an access.
+		</para>
+	</section>
+	
 </section>

More information about the Fedora-docs-commits mailing list