1 |
Kevin F. Quinn (Gentoo) skrev: |
2 |
> On Fri, 12 May 2006 10:49:22 +0200 |
3 |
> Simon Strandman <simon.strandman@×××××.com> wrote: |
4 |
> |
5 |
> |
6 |
>> I installed modular X on my server running hardened. |
7 |
>> |
8 |
> |
9 |
> X on a server? If it's just for the libs that's ok, but running the X |
10 |
> server itself is risky on a server as it's huge and suid so flaws can |
11 |
> easily gain root access. One such was discovered just the other week |
12 |
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1526). |
13 |
> |
14 |
I have my reasons. I need to run VNC on it. |
15 |
> |
16 |
>> It was quite |
17 |
>> annoying to have to switch back and forth betwen the vanilla gcc and |
18 |
>> the hardened. I couldn't leave it on compiling over the night but had |
19 |
>> to monitor it all the time. Is this really necessary? Why can't the |
20 |
>> modular X eclass just append the appropriate CFLAGS/LDFLAGS that |
21 |
>> disables bind now or whatever it is thar breaks X instead? |
22 |
>> |
23 |
> |
24 |
> It could, if we had the time to get it working. It should work |
25 |
> passing '-nonow' to all invocations of gcc that do linking of relevant |
26 |
> bits, but for some reason when people have tried that it hasn't worked - |
27 |
> see bug #110506. We (hardened) haven't had the time to investigate |
28 |
> further, and we don't want to complicate the stabilisation effort of |
29 |
> modular X (which is a big enough job as it is) so we've left it as it |
30 |
> is for the moment. We'll probably start looking at it again once it |
31 |
> becomes stable (also upstream have a pending task to resolve the issue |
32 |
> properly, but don't hold your breath). |
33 |
> |
34 |
> P.S. there's a hardened mailing list that is relevant. |
35 |
> |
36 |
Ok, thanks for the explanation! I'll keep track on that bug. |
37 |
|
38 |
|
39 |
-- |
40 |
Simon Strandman - simon.strandman(a)telia.com |
41 |
|
42 |
-- |
43 |
gentoo-dev@g.o mailing list |