| 1 |
Hi! |
| 2 |
|
| 3 |
On Fri, Apr 10, 2009 at 11:35:36AM +0800, Pavel Labushev wrote: |
| 4 |
> A simple cron job or slightly-less-simple RBAC policy can do the trick. |
| 5 |
> There's no need to mess with portage, imho. |
| 6 |
|
| 7 |
Cron job is just waste of time (this is one-time task after installing |
| 8 |
package, not once-per-minute task) and race condition (after installing |
| 9 |
package but before running cron job it may be run and will segfault). |
| 10 |
|
| 11 |
That's not mess with portage because portage right now control PaX flags |
| 12 |
for many packages anyway. But it doesn't set PaX flags for firefox or |
| 13 |
mplayer, because they able to work without this (if you don't use flash |
| 14 |
with firefox and don't use win32codecs with mplayer) and probably because |
| 15 |
these packages unlikely will be installed on hardened server. |
| 16 |
|
| 17 |
Also using given /etc/portage/bashrc I not only set paxctl -m, but also |
| 18 |
switch gcc to hardened-nossp while compiling several packets (to workaround |
| 19 |
http://bugs.gentoo.org/show_bug.cgi?id=217112) and rebuild CPAN module |
| 20 |
Scalar::Util after recompiling perl (needed because I don't use portage to |
| 21 |
manage perl modules). |
| 22 |
|
| 23 |
So, it used not to mess with portage, but to automate some tasks required |
| 24 |
while/after emerging packages to keep system working in my configuration. |
| 25 |
|
| 26 |
-- |
| 27 |
WBR, Alex. |
Archives