1 |
zhen, |
2 |
Peter is right openssl in the stage3 does contain TEXTREL. |
3 |
This needs to be fixed for the final grp stages are released. For all |
4 |
arches that GRP is going to handle (not just hardened). |
5 |
|
6 |
I've also noticed that our desired FEATURES don't seem to be kicking in |
7 |
until after a the user has rsyncd. |
8 |
|
9 |
Lets take a look at basic file permissions. |
10 |
# 04000. |
11 |
|
12 |
1825457 28 -rwsr-xr-x 1 root root 26732 Jan 6 12:17 |
13 |
/bin/su |
14 |
1825515 40 -rwsr-xr-x 1 root root 37072 Jan 6 12:07 /bin/ping |
15 |
1825449 96 -rws--x--x 1 root root 90808 Jan 6 12:22 /bin/mount |
16 |
1825451 32 -rwsr-xr-x 1 root root 32304 Jan 6 12:07 /bin/ping6 |
17 |
1825429 56 -rws--x--x 1 root root 50572 Jan 6 12:22 /bin/umount |
18 |
408439 36 -rwsr-xr-x 1 root root 33484 Jan 6 12:17 /usr/bin/chfn |
19 |
408378 36 -rwsr-xr-x 1 root root 33548 Jan 6 12:17 /usr/bin/chsh |
20 |
408312 44 -rwsr-xr-x 1 root root 43880 Jan 6 12:17 /usr/bin/chage |
21 |
408543 16 -rwsr-xr-x 1 root root 14612 Jan 6 12:07 /usr/bin/traceroute6 |
22 |
408733 12 -rwsr-xr-x 1 root root 10332 Jan 6 12:07 /usr/bin/tracepath6 |
23 |
408346 24 -rwsr-xr-x 1 root root 20552 Jan 6 12:17 /usr/bin/expiry |
24 |
408730 1072 -rws--x--x 2 root root 1091093 Jan 6 11:59 /usr/bin/sperl5.8.0 |
25 |
408476 28 -rwsr-xr-x 1 root root 25000 Jan 6 12:17 /usr/bin/newgrp |
26 |
408656 32 -rwsr-xr-x 1 root root 31208 Jan 6 12:17 /usr/bin/passwd |
27 |
408614 44 -rwsr-xr-x 1 root root 41460 Jan 6 12:17 /usr/bin/gpasswd |
28 |
408426 12 -rwsr-xr-x 1 root root 10260 Jan 6 12:07 /usr/bin/tracepath |
29 |
408730 1072 -rws--x--x 2 root root 1091093 Jan 6 11:59 /usr/bin/suidperl |
30 |
603864 180 -rws--x--x 1 root root 179236 Jan 6 12:24 /usr/lib/misc/ssh-keysign |
31 |
603865 8 -rws--x--x 1 root root 6104 Jan 6 10:08 /usr/lib/misc/pt_chown |
32 |
1564576 24 -r-sr-xr-x 1 root root 22495 Jan 6 12:16 /usr/sbin/unix_chkpwd |
33 |
1564569 20 -r-sr-xr-x 1 root root 19652 Jan 6 12:16 /usr/sbin/pwdb_chkpwd |
34 |
1564531 12 -r-s--x--x 1 root root 11411 Jan 6 12:16 /usr/sbin/pam_timestamp_check |
35 |
|
36 |
# 02000 |
37 |
408563 48 -r-xr-sr-x 1 root man 48840 Jan 6 11:45 /usr/bin/man |
38 |
408507 12 -rwxr-sr-x 1 root tty 9200 Jan 6 12:22 /usr/bin/write |
39 |
408540 36 -rwx--s--x 1 root 2601 36561 Jan 6 12:17 /usr/bin/slocate |
40 |
|
41 |
# all these setuid files should be go-rw and setgid files should be o-rw |
42 |
out of the box. |
43 |
|
44 |
# We dont have ipv6 enabled in our USE flags so I don't see why we |
45 |
should be getting tracepath6, traceroute6 in the first place (odd eh?). |
46 |
|
47 |
# It also appears ccache is getting enabled. I'm not sure if we want |
48 |
this or not. I would assume NO as it's been known to cause problems with |
49 |
old __guard symbols laying around. But it might not be a problem as long |
50 |
as the __guard symbol is found at glibc vs libgcc. Perhaps pappy can |
51 |
comment on if he thinks this feature should be disabled in our profile. |
52 |
|
53 |
# stripping. I've still got one small addition to go into portage itself |
54 |
to handle sripping better of shared objects. Don't let it hold you up as |
55 |
it only shaved off 2 megs off of /{,usr/}{s,}bin/ |
56 |
|
57 |
On Thu, 2004-01-08 at 16:10, John Davis wrote: |
58 |
> -----BEGIN PGP SIGNED MESSAGE----- |
59 |
> Hash: SHA1 |
60 |
> |
61 |
> Peter S. Mazinger wrote: |
62 |
> | Hello! |
63 |
> | |
64 |
> | On my first attempt with gentoo starting from stage3 (oregonstate |
65 |
> | december) tarball, chroot, and running emerge --help shows libcrypto |
66 |
> | (0.9.6) having TEXTREL (I have checked all other libs in /lib, /usr/lib, |
67 |
> | they are clean). Could this also be the case for the mainstream openssl? |
68 |
> | |
69 |
> | Peter |
70 |
> | |
71 |
> Are you using hardened stages - if so, use the ones from the |
72 |
> experimental directory that are datestamped 20040105. I do not know if |
73 |
> they have TEXTREL removed, but if hgcc 2.4.5 supports that, then yes. |
74 |
> |
75 |
> Cheers, |
76 |
> //zhen |
77 |
> - -- |
78 |
> John Davis |
79 |
> Gentoo Linux Developer |
80 |
> <http://dev.gentoo.org/~zhen> |
81 |
> |
82 |
> - ---- |
83 |
> Knowledge can be more terrible than ignorance if you're powerless to |
84 |
> change your world. |
85 |
> -----BEGIN PGP SIGNATURE----- |
86 |
> Version: GnuPG v1.2.3 (GNU/Linux) |
87 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
88 |
> |
89 |
> iD8DBQE//cc+ZlASNRlGLUcRArHoAJ9gR+l2tEGjP8QbDCv51YZYOYSyEgCgtddi |
90 |
> jxx89FMJSWzKCRXV0lPQi7c= |
91 |
> =t0Wl |
92 |
> -----END PGP SIGNATURE----- |
93 |
> |
94 |
> |
95 |
> -- |
96 |
> gentoo-hardened@g.o mailing list |
97 |
-- |
98 |
Ned Ludd <solar@g.o> |
99 |
Gentoo Linux Developer |