| 1 |
hi, |
| 2 |
|
| 3 |
we had some issues with cracklib, pwdb and pam. |
| 4 |
which will result in filter-flags for propolice on gentoo proper. |
| 5 |
sorry for that. |
| 6 |
|
| 7 |
but you can use sys-devel/hardened-gcc which will build these applications with etdyn |
| 8 |
and propolice using a special weapon called a transparent -pie specs file. |
| 9 |
|
| 10 |
HTH, |
| 11 |
|
| 12 |
Alex |
| 13 |
|
| 14 |
On Fri, Aug 08, 2003 at 01:01:46PM -0400, Ned Ludd wrote: |
| 15 |
> |
| 16 |
> Thank you for reporting this. A fix for this problem with pam & cracklib |
| 17 |
> is being worked on right now by the hardened team. We will post |
| 18 |
> something to the gentoo-hardened mailing list when this is ready. |
| 19 |
> |
| 20 |
> |
| 21 |
> On Fri, 2003-08-08 at 12:27, security mailing lists wrote: |
| 22 |
> > This was using the completely out of the box standard 1.4 release live |
| 23 |
> > cd. I didn't unmask anything at all, just added stack protection to |
| 24 |
> > make.conf. This is an AthlonXP 2100 (MSI-KT3-Ultra2 w/512MB)Here are |
| 25 |
> > some of the options from make.conf |
| 26 |
> > |
| 27 |
> > CHOST=i686-pc-linux-gnu |
| 28 |
> > CFLAGS="-O3 -march=athlon-xp -fstack-protector -funroll-loops -pipe" |
| 29 |
> > |
| 30 |
> > Nothing unmasked or modified (ACCEPT_KEYWORDS commented out, etc) so |
| 31 |
> > this was all standard packages (gcc-3.2.3-r1 and glibc-2.3.2-r1). |
| 32 |
> > |
| 33 |
> > I don't see anything on bugs.gentoo.com for problems with pam and stack |
| 34 |
> > protection, just wanted to make sure I wasn't missing something before |
| 35 |
> > I submitted the bug. The gentoo propolice project website says that |
| 36 |
> > things should compile out of the box with the proper gcc/glibc used |
| 37 |
> > above. |
| 38 |
> > |
| 39 |
> > |
| 40 |
> > |
| 41 |
> > > On Fri, 2003-08-08 at 10:02, Boyd Waters wrote: |
| 42 |
> > > > security mailing lists wrote: |
| 43 |
> > > > > When building a system from the ground up using stack protection, |
| 44 |
> > > > > emerge system fails while building PAM. It complains the pam pwdb |
| 45 |
> > > > > module did not get built. |
| 46 |
> > > > > |
| 47 |
> > > > > If I rebuild pwdb without stack protection, though it compiled fine with |
| 48 |
> > > > > it the first time, I can then build pam with stack protection without |
| 49 |
> > > > > any problems. |
| 50 |
> > > > > |
| 51 |
> > > > > This was using the base CD and the normal install process with just |
| 52 |
> > > > > -fstack-protection added to /etc/make.conf before bootstrap (stage2) |
| 53 |
> > > > |
| 54 |
> > > > |
| 55 |
> > > > Curious... I did not run into this problem, building a system from |
| 56 |
> > > > ground up with GCC 3.3 -- |
| 57 |
> > > > |
| 58 |
> > > > I have an ebuild for a gcc-3.3 that uses the ProPolice patch from last |
| 59 |
> > > > week, which was a more-recent patch than the standard 3.3 that was in |
| 60 |
> > > > portage -- but I see that this is now gcc-3.3-r1 as of 04-August. |
| 61 |
> > > > |
| 62 |
> > > > Have you searched http://bugs.gentoo.org for this situation? It sounds |
| 63 |
> > > > like a good bug report to me! What type of processor are you using? What |
| 64 |
> > > > gcc/propolice version? |
| 65 |
> > > > |
| 66 |
> > > > -- boyd |
| 67 |
> > > > |
| 68 |
> > > > |
| 69 |
> > |
| 70 |
> > -- |
| 71 |
> > gentoo-hardened@g.o mailing list |
| 72 |
> -- |
| 73 |
> Ned Ludd <solar@g.o> |
| 74 |
> Gentoo Linux Developer (Hardened) |
| 75 |
> |
| 76 |
> |
| 77 |
> -- |
| 78 |
> gentoo-hardened@g.o mailing list |
| 79 |
|
| 80 |
-- |
| 81 |
A long-forgotten loved one will appear soon. |
| 82 |
|
| 83 |
Buy the negatives at any price. |
| 84 |
|
| 85 |
-- |
| 86 |
gentoo-hardened@g.o mailing list |
Archives