1 |
Ed Wildgoose wrote: |
2 |
|
3 |
> |
4 |
>> It's come to my attention this afternoon that theres some portage |
5 |
>> breakage with the stacked profiles. I plan on building the 2004.1 |
6 |
>> stages as soon as this is fixed up. |
7 |
>> |
8 |
>> |
9 |
>> |
10 |
> |
11 |
> Thanks. Can you explain what this means for me? I presume it means |
12 |
> that there will be a new portage build out that handles the |
13 |
> situation? If it's currently masked can you please let me know what I |
14 |
> should be grabbing please (easier than currently having to manually |
15 |
> tweak this stuff perhaps) |
16 |
> |
17 |
> |
18 |
>>> It's really not clear what needs to be done to get a "hardened" |
19 |
>>> system right now? For example, do we need any other flags adding to |
20 |
>>> make.conf...? |
21 |
>>> |
22 |
>> |
23 |
>> |
24 |
>> Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
25 |
>> the replacement (gcc-3.3.3-r[23] with USE=hardened) is still in |
26 |
>> testing. The term 'hardened' sometimes gets thrown around a little too |
27 |
>> much. The hardened stages are more precisely pie-ssp stages. You can |
28 |
>> have SELinux with pie-ssp; it just takes a little work. This is a |
29 |
>> common request, so I'll probably be making selinux-pie-ssp stages |
30 |
>> eventually to make this easier. |
31 |
>> |
32 |
>> |
33 |
> |
34 |
> OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
35 |
> portage stable. I understood that this was more than enough to |
36 |
> support the hardened stuff? I don't see any -fPIE flags being added |
37 |
> for me, and although I see -fstack-protector being added, this is |
38 |
> presumably because I added it into my CFLAGS. |
39 |
> |
40 |
> Can you advise what the best thing is to do right now in order to at |
41 |
> least partially harden the machine. Recompiling bits of stuff later |
42 |
> is an option, but I can't really afford a full rebuild. In any case |
43 |
> my alternative is a normal gentoo build, so I will take whatever |
44 |
> hardening is easy to do right now (on the grounds it is better than |
45 |
> nothing). The main entry route to the machine will likely remain the |
46 |
> php apps running on the web-server, so this is actually where the bulk |
47 |
> of my effort needs to go anyway - hardening is just some icing |
48 |
> really. On the other hand I am not sure yet how selinux is going to |
49 |
> help with securing Apache, still need to try and understand more about |
50 |
> this - has anyone written a howto on chrooting apache2 on gentoo, this |
51 |
> might well be the prefered way to secure it in my case...? |
52 |
> |
53 |
> Thanks |
54 |
> |
55 |
> Ed W |
56 |
> |
57 |
> |
58 |
> -- |
59 |
> gentoo-hardened@g.o mailing list |
60 |
> |
61 |
> |
62 |
sorry for this, new guy in this gentoo business, I just wanted to ask a |
63 |
few questions,I joined the mailing list because it said it was about the |
64 |
hardened sources, and that's what I installed, but I wanted to know what |
65 |
the diference is exactly ( you guys are talking on another level!!) |
66 |
|
67 |
if this is not the place to ask this ( as it obviouly isn't a simple q & |
68 |
a mailing list), then just tell me to take a hike , although i'd still |
69 |
like to receive the emails, as a information only.. |
70 |
|
71 |
thanks |
72 |
|
73 |
Charles Romestant |
74 |
|
75 |
-- |
76 |
gentoo-hardened@g.o mailing list |