1 |
I had previously posted this in the forum, but now that I've made some |
2 |
more progress I'm trying to key a few more people in on what I'm doing. |
3 |
The original thread is available at |
4 |
<http://forums.gentoo.org/viewtopic.php?t=33614> |
5 |
|
6 |
I've implemented a ProPolice |
7 |
<http://www.trl.ibm.com/projects/security/ssp/> patched gcc ebuild. This |
8 |
patch will build stack-smashing protection into your code at compile time. |
9 |
This is an excellent security measure -- one that has just recently been |
10 |
implemented in OpenBSD-current. It can be enabled explicitly through the |
11 |
CFLAG -fstack-protector or turned on by default with a separate patch. As |
12 |
I have it now, it is by default turned off, as there are several ebuilds |
13 |
that have problems with it (most notably portage). For more information |
14 |
on this have a look at my site |
15 |
at<http://frogger974.homelinux.org/gentoo_propolice.html> |
16 |
|
17 |
I've also put together a script which will copy an Apache install into a |
18 |
chroot under /var/chroot/apache. There is also a new new startup script to |
19 |
start/stop/restart the chrooted daemon. The script requires apache to be |
20 |
merged to run, but after it has been installed, you can feel free to |
21 |
unmerge the old non-chrooted apache. Again, more information is available |
22 |
at <http://frogger974.homelinux.org/gentoo_propolice.html> . This doesn't |
23 |
require ProPolice, but it runs fine being built with the stack protection |
24 |
if you're interested in trying. |
25 |
|
26 |
I'd eventually like to implement this chrooted Apache as its own ebuild. |
27 |
This script is easier for now, and allows me to do the testing I need. |
28 |
It is also completely parallel to the regular Apache build, just moved to |
29 |
/var/chroot/apache. This might not be the best idea, since we don't |
30 |
really need the obscure file locations/symlinks from the original build if |
31 |
it's all just going under /var/chroot/apache. |
32 |
|
33 |
So anyway, if anyone would like to test any of this stuff feel free. Let |
34 |
me know how it turns out. I'm also open to any suggestions on things I |
35 |
should change or other things I should implement. I would like to start |
36 |
by chrooting other daemons including bind and ntpd. |
37 |
|
38 |
I think all of these things would make a good addition to a 'Secure |
39 |
Gentoo'. |
40 |
|
41 |
-Matt Rickard |
42 |
|
43 |
-- |
44 |
gentoo-dev@g.o mailing list |