1 |
Hi! |
2 |
|
3 |
On Fri, Apr 10, 2009 at 11:35:36AM +0800, Pavel Labushev wrote: |
4 |
> A simple cron job or slightly-less-simple RBAC policy can do the trick. |
5 |
> There's no need to mess with portage, imho. |
6 |
|
7 |
Cron job is just waste of time (this is one-time task after installing |
8 |
package, not once-per-minute task) and race condition (after installing |
9 |
package but before running cron job it may be run and will segfault). |
10 |
|
11 |
That's not mess with portage because portage right now control PaX flags |
12 |
for many packages anyway. But it doesn't set PaX flags for firefox or |
13 |
mplayer, because they able to work without this (if you don't use flash |
14 |
with firefox and don't use win32codecs with mplayer) and probably because |
15 |
these packages unlikely will be installed on hardened server. |
16 |
|
17 |
Also using given /etc/portage/bashrc I not only set paxctl -m, but also |
18 |
switch gcc to hardened-nossp while compiling several packets (to workaround |
19 |
http://bugs.gentoo.org/show_bug.cgi?id=217112) and rebuild CPAN module |
20 |
Scalar::Util after recompiling perl (needed because I don't use portage to |
21 |
manage perl modules). |
22 |
|
23 |
So, it used not to mess with portage, but to automate some tasks required |
24 |
while/after emerging packages to keep system working in my configuration. |
25 |
|
26 |
-- |
27 |
WBR, Alex. |