| 1 |
I had previously posted this in the forum, but now that I've made some |
| 2 |
more progress I'm trying to key a few more people in on what I'm doing. |
| 3 |
The original thread is available at |
| 4 |
<http://forums.gentoo.org/viewtopic.php?t=33614> |
| 5 |
|
| 6 |
I've implemented a ProPolice |
| 7 |
<http://www.trl.ibm.com/projects/security/ssp/> patched gcc ebuild. This |
| 8 |
patch will build stack-smashing protection into your code at compile time. |
| 9 |
This is an excellent security measure -- one that has just recently been |
| 10 |
implemented in OpenBSD-current. It can be enabled explicitly through the |
| 11 |
CFLAG -fstack-protector or turned on by default with a separate patch. As |
| 12 |
I have it now, it is by default turned off, as there are several ebuilds |
| 13 |
that have problems with it (most notably portage). For more information |
| 14 |
on this have a look at my site |
| 15 |
at<http://frogger974.homelinux.org/gentoo_propolice.html> |
| 16 |
|
| 17 |
I've also put together a script which will copy an Apache install into a |
| 18 |
chroot under /var/chroot/apache. There is also a new new startup script to |
| 19 |
start/stop/restart the chrooted daemon. The script requires apache to be |
| 20 |
merged to run, but after it has been installed, you can feel free to |
| 21 |
unmerge the old non-chrooted apache. Again, more information is available |
| 22 |
at <http://frogger974.homelinux.org/gentoo_propolice.html> . This doesn't |
| 23 |
require ProPolice, but it runs fine being built with the stack protection |
| 24 |
if you're interested in trying. |
| 25 |
|
| 26 |
I'd eventually like to implement this chrooted Apache as its own ebuild. |
| 27 |
This script is easier for now, and allows me to do the testing I need. |
| 28 |
It is also completely parallel to the regular Apache build, just moved to |
| 29 |
/var/chroot/apache. This might not be the best idea, since we don't |
| 30 |
really need the obscure file locations/symlinks from the original build if |
| 31 |
it's all just going under /var/chroot/apache. |
| 32 |
|
| 33 |
So anyway, if anyone would like to test any of this stuff feel free. Let |
| 34 |
me know how it turns out. I'm also open to any suggestions on things I |
| 35 |
should change or other things I should implement. I would like to start |
| 36 |
by chrooting other daemons including bind and ntpd. |
| 37 |
|
| 38 |
I think all of these things would make a good addition to a 'Secure |
| 39 |
Gentoo'. |
| 40 |
|
| 41 |
-Matt Rickard |
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-dev@g.o mailing list |
Archives