1 |
On Tue, 2004-04-27 at 17:40, Ed Wildgoose wrote: |
2 |
> >It's come to my attention this afternoon that theres some portage |
3 |
> >breakage with the stacked profiles. I plan on building the 2004.1 |
4 |
> >stages as soon as this is fixed up. |
5 |
> |
6 |
> Thanks. Can you explain what this means for me? I presume it means |
7 |
> that there will be a new portage build out that handles the situation? |
8 |
> If it's currently masked can you please let me know what I should be |
9 |
> grabbing please (easier than currently having to manually tweak this |
10 |
> stuff perhaps) |
11 |
|
12 |
Apparently you if you replace "os.path.dirname(mypath)" with "mypath" in |
13 |
/usr/lib/portage/pym/portage.py line 1206, it should work. The 51_pre* |
14 |
portages are fixed, but they have other problems, and I wouldn't suggest |
15 |
using them. |
16 |
|
17 |
> >>It's really not clear what needs to be done to get a "hardened" system |
18 |
> >>right now? For example, do we need any other flags adding to |
19 |
> >>make.conf...? |
20 |
> >> |
21 |
> >> |
22 |
> > |
23 |
> >Actually things are in a bit of flux. Hardened-gcc is deprecated, and |
24 |
[cut] |
25 |
> OK, thanks this is helpful. I'm using gcc-3.3.2-r5, ie the latest |
26 |
|
27 |
This version only has ssp (-fstack-protector). |
28 |
|
29 |
> Can you advise what the best thing is to do right now in order to at |
30 |
> least partially harden the machine. Recompiling bits of stuff later is |
31 |
|
32 |
The minimum I'd suggest is to continue with ssp, and use a kernel with |
33 |
PaX. |
34 |
|
35 |
> an option, but I can't really afford a full rebuild. In any case my |
36 |
> alternative is a normal gentoo build, so I will take whatever hardening |
37 |
> is easy to do right now (on the grounds it is better than nothing). The |
38 |
> main entry route to the machine will likely remain the php apps running |
39 |
> on the web-server, so this is actually where the bulk of my effort needs |
40 |
> to go anyway - hardening is just some icing really. On the other hand I |
41 |
> am not sure yet how selinux is going to help with securing Apache, |
42 |
|
43 |
SELinux is the last line of defense. It helps when someone has |
44 |
subverted apache. The SELinux policy doesn't allow the apache domain do |
45 |
anything beyond normal operations. For example, there wouldn't be any |
46 |
defacement, because the apache domain can only read the web pages, not |
47 |
write them, even if they gain root privileges. |
48 |
|
49 |
-- |
50 |
Chris PeBenito |
51 |
<pebenito@g.o> |
52 |
Developer, |
53 |
Hardened Gentoo Linux |
54 |
Embedded Gentoo Linux |
55 |
|
56 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
57 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |