Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: John Eckhart <jweckhart@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Hardened laptop: am I nuts?
Date: Wed, 05 Dec 2007 18:27:40
Message-Id: e532144c0712051024k41129253y434c900d7d2fea1e@mail.gmail.com
In Reply to: Re: [gentoo-hardened] Hardened laptop: am I nuts? by John Eckhart
1 I just verified that I am running hardened on a "multilib" system and the
2 multilib useflag is disabled (also of note, this machine serves about 10
3 vm's via vmware server, which is only 32-bit, so it definitely runs 32-bit
4 code):
5
6 > eix -I --installed-with-use multilib
7 No matches found.
8
9 > eix -I --installed-without-use multilib
10 [I] sys-devel/gcc
11 Available versions:
12 (2.95) [P]*2.95.3-r9 [P]~*2.95.3-r10
13 (3.1) [P]*3.1.1-r2
14 (3.2) [P]**3.2.2 [P]*3.2.3-r4
15 (3.3) ~3.3.6-r1
16 (3.4) 3.4.6-r2
17 (4.0) [M]~*4.0.3 [M]~*4.0.4
18 (4.1) [M]~4.1.0-r1 [M]4.1.1-r3 [M]4.1.2
19 (4.2) [M]~4.2.0 [M]~4.2.1 [M](~)4.2.2
20 {altivec bootstrap boundschecking build d doc fortran gcj gtk
21 hardened ip28 ip32r10k java mudflap multilib multislot n32 n64 nls nocxx
22 nopie nossp objc objc++ objc-gc openmp static test vanilla}
23 Installed versions: 3.4.6-r2(3.4)(15:26:26 11/06/07)(d fortran gcj gtk
24 hardened nls -altivec -bootstrap -boundschecking -build -doc -ip28 -ip32r10k
25 -multilib -multislot -n32 -n64 -nocxx -nopie -nossp -objc -test -vanilla)
26 Homepage: http://gcc.gnu.org/
27 Description: The GNU Compiler Collection. Includes C/C++, java
28 compilers, pie+ssp extensions, Haj Ten Brugge runtime bounds checking
29
30 [I] sys-libs/glibc
31 Available versions: (2.2) [P]*2.2.5-r10 [P]2.3.2-r12 2.3.5-r3
32 2.3.6-r4 2.3.6-r5 [M]2.4-r4 2.5-r2 2.5-r3 2.5-r4 **2.5.1 ~2.6 2.6.1 ~2.7
33 {build debug erandom gd glibc-compat20 glibc-omitfp hardened
34 linuxthreads-tls multilib nls nptl nptlonly pic profile selinux userlocales
35 vanilla}
36 Installed versions: 2.6.1(2.2)(16:12:14 11/19/07)(hardened nls selinux
37 -debug -gd -glibc-omitfp -multilib -profile -vanilla)
38 Homepage: http://www.gnu.org/software/libc/libc.html
39 Description: GNU libc6 (also called glibc2) C library
40
41 Found 2 matches.
42
43 > emerge --info
44 Portage 2.1.3.19 (selinux/2007.0/amd64/hardened, gcc-3.4.6, glibc-2.6.1-r0,
45 2.6.23-pmp-r1 x86_64)
46 =================================================================
47 System uname: 2.6.23-pmp-r1 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz
48 Timestamp of tree: Wed, 05 Dec 2007 07:00:01 +0000
49 app-shells/bash: 3.2_p17
50 dev-java/java-config: 1.3.7, 2.0.33-r1
51 dev-lang/python: 2.4.4-r6
52 dev-python/pycrypto: 2.0.1-r6
53 sys-apps/baselayout: 1.12.9-r2
54 sys-apps/sandbox: 1.2.18.1-r2
55 sys-devel/autoconf: 2.13, 2.61-r1
56 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
57 sys-devel/binutils: 2.18-r1
58 sys-devel/gcc-config: 1.3.16
59 sys-devel/libtool: 1.5.24
60 virtual/os-headers: 2.6.22-r2
61 ACCEPT_KEYWORDS="amd64"
62 CBUILD="x86_64-pc-linux-gnu"
63 CFLAGS="-march=nocona -Os -pipe -fomit-frame-pointer"
64 CHOST="x86_64-pc-linux-gnu"
65 CONFIG_PROTECT="/etc /usr/share/X11/xkb"
66 CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
67 /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
68 CXXFLAGS="-march=nocona -Os -pipe -fomit-frame-pointer"
69 DISTDIR="/usr/portage/distfiles"
70 FEATURES="collision-protect distlocks loadpolicy metadata-transfer
71 parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans
72 userfetch userpriv usersandbox"
73 GENTOO_MIRRORS="http://distfiles.gentoo.org
74 http://distro.ibiblio.org/pub/linux/distributions/gentoo"
75 MAKEOPTS="-j4"
76 PKGDIR="/usr/portage/packages"
77 PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
78 --compress --force --whole-file --delete --delete-after --stats
79 --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages
80 --filter=H_**/files/digest-*"
81 PORTAGE_TMPDIR="/var/tmp"
82 PORTDIR="/usr/portage"
83 PORTDIR_OVERLAY="/usr/portage/local/layman/vmware
84 /usr/portage/local/my_overlay"
85 SYNC="rsync://rsync.gentoo.org/gentoo-portage"
86 USE="X X509 acpi alsa amd64 avahi bash-completion berkdb bitmap-fonts
87 branding bzip2 cairo cdr cli cracklib crypt cups d dbus dri dvdr expat fam
88 firefox fortran gcj gdbm glitz gnome gpm gstreamer gtk gtkhtml hal hardened
89 hpn iconv ipv6 isdnlog java javascript jpeg keyring libnotify logrotate midi
90 mmx mng mozilla mudflap ncurses nfs nls nptl nptlonly nsplugin opengl openmp
91 pam pcre perl pic png pppd python readline reflection samba seamonkey
92 selinux session spl sqlite sqlite3 sse sse2 ssl tcpd tiff truetype
93 truetype-fonts type1-fonts unicode usb xcb xforms xml xorg xpm xprint
94 xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x
95 ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel
96 intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
97 ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
98 hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate
99 route share shm softvol" APACHE2_MODULES="actions alias auth_basic
100 authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
101 authz_default authz_groupfile authz_host authz_owner authz_user autoindex
102 cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter
103 file_cache filter headers include info log_config logio mem_cache mime
104 mime_magic negotiation rewrite setenvif speling status unique_id userdir
105 usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
106 KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
107 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa
108 vga"
109 Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
110 LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
111 PORTAGE_RSYNC_EXTRA_OPTS
112
113
114 On Dec 5, 2007 1:05 PM, John Eckhart <jweckhart@×××××.com> wrote:
115
116 > I'm not convinced it's a problem with multilib. The multilib use flag is
117 > deprecated and hard masked in most profiles (in fact, it takes a fair bit of
118 > juggling and profile mangling to get it back on). I would hesitate to say
119 > that it's multilib at all. I have an AMD64 system at work which is running
120 > hardened sources with pax, I will have to see what profile it's using and if
121 > it has the "multilib" flag at all.
122 >
123 > It may not be hardened at all. I get ENOENT problems with filesystem
124 > corruptions, so I would recommend that you reboot with the livecd and fsck
125 > the partitions as well (it would at least be faster than a re-install).
126 >
127 >
128 > On Dec 5, 2007 12:32 PM, Grant <emailgrant@×××××.com> wrote:
129 >
130 > > > > > > No! Is that the problem? USE=multilib has no effect because
131 > > they are
132 > > > > > > all (-multilib). Should I switch my profile from:
133 > > > > > >
134 > > > > > > /usr/portage/profiles/hardened/amd64
135 > > > > > >
136 > > > > > > to:
137 > > > > > >
138 > > > > > > /usr/portage/profiles/hardened/amd64/multilib
139 > > > > > >
140 > > > > > > ?
141 > > > > >
142 > > > > > khm, obviously if you want 32 bit apps on a 64 bit system you need
143 > >
144 > > > > > multilib... i wonder how you could even emerge the emul-* packages
145 > > > > > in that profile, it should not be allowed.
146 > > > >
147 > > > > Nice, at least this is solved (by you). Is switching profiles
148 > > > > problematic or should I just switch the link and emerge world?
149 > > >
150 > > >
151 > > > Complete reinstall.
152 > >
153 > > Any other option whatsoever to get on multilib?
154 > >
155 > > - Grant
156 > > --
157 > > gentoo-hardened@g.o mailing list
158 > >
159 > >
160 >
Report Message
Find on MARC Find on Google Groups