1 |
On Sun, 2009-04-19 at 20:59 -0400, basile wrote: |
2 |
> Mansour Moufid wrote: |
3 |
> > On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@g.o> wrote: |
4 |
> > |
5 |
> >> basile schrieb: |
6 |
> >> |
7 |
> >>> Hi, a have a couple of question is for Gordon and Nedd regarding |
8 |
> >>> rebuilding an entire desktop system with emerge -e world, both amd64 and |
9 |
> >>> i686. I'm mostly worried about the security implications of the |
10 |
> >>> choices I'm making and I'm not 100% sure of my understanding. |
11 |
> >>> |
12 |
> >>> 1) Regarding choice of compiler. gcc-config -l gives |
13 |
> >>> |
14 |
> >>> [1] x86_64-pc-linux-gnu-3.4.6 |
15 |
> >>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
16 |
> >>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
17 |
> >>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
18 |
> >>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
19 |
> >>> [6] x86_64-pc-linux-gnu-4.1.2 |
20 |
> >>> |
21 |
> >>> My understanding is that [1] is fully hardened and that [2]-[5] are |
22 |
> >>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and |
23 |
> >>> fully vanilla. My confusion is about 4.1.2. What hardening is present |
24 |
> >>> in it? (Did some hardening which wasn't present in gcc-3 make it to |
25 |
> >>> gcc-4 vanilla?) What's the best practice here? |
26 |
> >>> |
27 |
> >> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be masked as that version does |
28 |
> >> not have any builtin hardened features, so is only a normal, none-hardened gcc-4.1.2 |
29 |
> >> |
30 |
> > |
31 |
> > This can happen when using a non-hardened stage3 tarball during the |
32 |
> > install, then switching to the hardened profile later. |
33 |
> > |
34 |
> > I've noticed it's not immediately clear where to get hardened stages |
35 |
> > in the documentation. For those wondering, the mirror URL can be found |
36 |
> > in the topic on #gentoo-hardened, i.e.: |
37 |
> > http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/ |
38 |
> > |
39 |
> > |
40 |
> |
41 |
> I followed a variation of the upgrade process discussed here: |
42 |
> |
43 |
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
44 |
> |
45 |
> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1 |
46 |
> |
47 |
> I understand that its a VERY EARLY draft, but it proceeded without any |
48 |
> problems on both i686 and amd64. I'm pretty sure I didn't loose PIE, |
49 |
> but I'm not so sure about SSP. I'm playing around now with |
50 |
> -fstack-protector-all in my CFLAGS. |
51 |
> |
52 |
> |
53 |
> >>> 2) Regarding the choice of profiles on amd64. I have |
54 |
> >>> |
55 |
> >>> [6] hardened/amd64 |
56 |
> >>> [7] hardened/amd64/multilib * |
57 |
> >>> [10] hardened/linux/amd64 |
58 |
> >>> |
59 |
> >>> I'm using the multilib and I'm wondering what the security implications |
60 |
> >>> of this decision. Also, should I be thinking about the newer [10] on |
61 |
> >>> amd64? What about the similar choice on i686? |
62 |
> >>> |
63 |
> >>> Thanks guys. |
64 |
> >>> |
65 |
> >>> |
66 |
> >> What security implications should be there? |
67 |
> >> The newer [10] is still experimental and may change without warning. Use either [6] or [7] for now. |
68 |
> >> |
69 |
> >> -- |
70 |
> >> Thomas Sachau |
71 |
> >> |
72 |
> >> Gentoo Linux Developer |
73 |
> >> |
74 |
> >> |
75 |
> I remember reading about lots of security bugs with emulating |
76 |
> libraries. I just googled for it to remind myself. So I'm wondering |
77 |
> whether profile 6 is better than 7. |
78 |
|
79 |
Either is fine. |
80 |
|
81 |
[6] might be better for a server where space is a concern. better for |
82 |
extreme paranoia. |
83 |
[7] is the only real choice if you plan to use X at all. |
84 |
|
85 |
If you were on #10 then it's best to switch to #7 also. |
86 |
|
87 |
# to update the installed gcc:4.x also. |
88 |
ACCEPT_KEYWORDS="*~" emerge -pvq gcc |