1 |
hi, |
2 |
|
3 |
we had some issues with cracklib, pwdb and pam. |
4 |
which will result in filter-flags for propolice on gentoo proper. |
5 |
sorry for that. |
6 |
|
7 |
but you can use sys-devel/hardened-gcc which will build these applications with etdyn |
8 |
and propolice using a special weapon called a transparent -pie specs file. |
9 |
|
10 |
HTH, |
11 |
|
12 |
Alex |
13 |
|
14 |
On Fri, Aug 08, 2003 at 01:01:46PM -0400, Ned Ludd wrote: |
15 |
> |
16 |
> Thank you for reporting this. A fix for this problem with pam & cracklib |
17 |
> is being worked on right now by the hardened team. We will post |
18 |
> something to the gentoo-hardened mailing list when this is ready. |
19 |
> |
20 |
> |
21 |
> On Fri, 2003-08-08 at 12:27, security mailing lists wrote: |
22 |
> > This was using the completely out of the box standard 1.4 release live |
23 |
> > cd. I didn't unmask anything at all, just added stack protection to |
24 |
> > make.conf. This is an AthlonXP 2100 (MSI-KT3-Ultra2 w/512MB)Here are |
25 |
> > some of the options from make.conf |
26 |
> > |
27 |
> > CHOST=i686-pc-linux-gnu |
28 |
> > CFLAGS="-O3 -march=athlon-xp -fstack-protector -funroll-loops -pipe" |
29 |
> > |
30 |
> > Nothing unmasked or modified (ACCEPT_KEYWORDS commented out, etc) so |
31 |
> > this was all standard packages (gcc-3.2.3-r1 and glibc-2.3.2-r1). |
32 |
> > |
33 |
> > I don't see anything on bugs.gentoo.com for problems with pam and stack |
34 |
> > protection, just wanted to make sure I wasn't missing something before |
35 |
> > I submitted the bug. The gentoo propolice project website says that |
36 |
> > things should compile out of the box with the proper gcc/glibc used |
37 |
> > above. |
38 |
> > |
39 |
> > |
40 |
> > |
41 |
> > > On Fri, 2003-08-08 at 10:02, Boyd Waters wrote: |
42 |
> > > > security mailing lists wrote: |
43 |
> > > > > When building a system from the ground up using stack protection, |
44 |
> > > > > emerge system fails while building PAM. It complains the pam pwdb |
45 |
> > > > > module did not get built. |
46 |
> > > > > |
47 |
> > > > > If I rebuild pwdb without stack protection, though it compiled fine with |
48 |
> > > > > it the first time, I can then build pam with stack protection without |
49 |
> > > > > any problems. |
50 |
> > > > > |
51 |
> > > > > This was using the base CD and the normal install process with just |
52 |
> > > > > -fstack-protection added to /etc/make.conf before bootstrap (stage2) |
53 |
> > > > |
54 |
> > > > |
55 |
> > > > Curious... I did not run into this problem, building a system from |
56 |
> > > > ground up with GCC 3.3 -- |
57 |
> > > > |
58 |
> > > > I have an ebuild for a gcc-3.3 that uses the ProPolice patch from last |
59 |
> > > > week, which was a more-recent patch than the standard 3.3 that was in |
60 |
> > > > portage -- but I see that this is now gcc-3.3-r1 as of 04-August. |
61 |
> > > > |
62 |
> > > > Have you searched http://bugs.gentoo.org for this situation? It sounds |
63 |
> > > > like a good bug report to me! What type of processor are you using? What |
64 |
> > > > gcc/propolice version? |
65 |
> > > > |
66 |
> > > > -- boyd |
67 |
> > > > |
68 |
> > > > |
69 |
> > |
70 |
> > -- |
71 |
> > gentoo-hardened@g.o mailing list |
72 |
> -- |
73 |
> Ned Ludd <solar@g.o> |
74 |
> Gentoo Linux Developer (Hardened) |
75 |
> |
76 |
> |
77 |
> -- |
78 |
> gentoo-hardened@g.o mailing list |
79 |
|
80 |
-- |
81 |
A long-forgotten loved one will appear soon. |
82 |
|
83 |
Buy the negatives at any price. |
84 |
|
85 |
-- |
86 |
gentoo-hardened@g.o mailing list |