| 1 |
On Tue, 2004-04-27 at 17:40, Ed Wildgoose wrote: |
| 2 |
> >It's come to my attention this afternoon that theres some portage |
| 3 |
> >breakage with the stacked profiles. I plan on building the 2004.1 |
| 4 |
> >stages as soon as this is fixed up. |
| 5 |
> |
| 6 |
> Thanks. Can you explain what this means for me? I presume it means |
| 7 |
> that there will be a new portage build out that handles the situation? |
| 8 |
> If it's currently masked can you please let me know what I should be |
| 9 |
> grabbing please (easier than currently having to manually tweak this |
| 10 |
> stuff perhaps) |
| 11 |
|
| 12 |
Apparently you if you replace "os.path.dirname(mypath)" with "mypath" in |
| 13 |
/usr/lib/portage/pym/portage.py line 1206, it should work. The 51_pre* |
| 14 |
portages are fixed, but they have other problems, and I wouldn't suggest |
| 15 |
using them. |
| 16 |
|
| 17 |
> >>It's really not clear what needs to be done to get a "hardened" system |
| 18 |
> >>right now? For example, do we need any other flags adding to |
| 19 |
> >>make.conf...? |
| 20 |
> >> |
| 21 |
> >> |
| 22 |
> > |
| 23 |
> >Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
| 24 |
[cut] |
| 25 |
> OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
| 26 |
|
| 27 |
This version only has ssp (-fstack-protector). |
| 28 |
|
| 29 |
> Can you advise what the best thing is to do right now in order to at |
| 30 |
> least partially harden the machine. Recompiling bits of stuff later is |
| 31 |
|
| 32 |
The minimum I'd suggest is to continue with ssp, and use a kernel with |
| 33 |
PaX. |
| 34 |
|
| 35 |
> an option, but I can't really afford a full rebuild. In any case my |
| 36 |
> alternative is a normal gentoo build, so I will take whatever hardening |
| 37 |
> is easy to do right now (on the grounds it is better than nothing). The |
| 38 |
> main entry route to the machine will likely remain the php apps running |
| 39 |
> on the web-server, so this is actually where the bulk of my effort needs |
| 40 |
> to go anyway - hardening is just some icing really. On the other hand I |
| 41 |
> am not sure yet how selinux is going to help with securing Apache, |
| 42 |
|
| 43 |
SELinux is the last line of defense. It helps when someone has |
| 44 |
subverted apache. The SELinux policy doesn't allow the apache domain do |
| 45 |
anything beyond normal operations. For example, there wouldn't be any |
| 46 |
defacement, because the apache domain can only read the web pages, not |
| 47 |
write them, even if they gain root privileges. |
| 48 |
|
| 49 |
-- |
| 50 |
Chris PeBenito |
| 51 |
<pebenito@g.o> |
| 52 |
Developer, |
| 53 |
Hardened Gentoo Linux |
| 54 |
Embedded Gentoo Linux |
| 55 |
|
| 56 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 57 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives