From: Matt Rickard <mjr318@psu.edu>
To: gentoo-dev@gentoo.org
Subject: [gentoo-dev] ProPolice enabled gcc/gentoo and chrooted Apache
Date: Mon, 10 Feb 2003 19:53:08 -0500 [thread overview]
Message-ID: <20030210195308.7de1621d.mjr318@psu.edu> (raw)
I had previously posted this in the forum, but now that I've made some
more progress I'm trying to key a few more people in on what I'm doing.
The original thread is available at
<http://forums.gentoo.org/viewtopic.php?t=33614>
I've implemented a ProPolice
<http://www.trl.ibm.com/projects/security/ssp/> patched gcc ebuild. This
patch will build stack-smashing protection into your code at compile time.
This is an excellent security measure -- one that has just recently been
implemented in OpenBSD-current. It can be enabled explicitly through the
CFLAG -fstack-protector or turned on by default with a separate patch. As
I have it now, it is by default turned off, as there are several ebuilds
that have problems with it (most notably portage). For more information
on this have a look at my site
at<http://frogger974.homelinux.org/gentoo_propolice.html>
I've also put together a script which will copy an Apache install into a
chroot under /var/chroot/apache. There is also a new new startup script to
start/stop/restart the chrooted daemon. The script requires apache to be
merged to run, but after it has been installed, you can feel free to
unmerge the old non-chrooted apache. Again, more information is available
at <http://frogger974.homelinux.org/gentoo_propolice.html> . This doesn't
require ProPolice, but it runs fine being built with the stack protection
if you're interested in trying.
I'd eventually like to implement this chrooted Apache as its own ebuild.
This script is easier for now, and allows me to do the testing I need.
It is also completely parallel to the regular Apache build, just moved to
/var/chroot/apache. This might not be the best idea, since we don't
really need the obscure file locations/symlinks from the original build if
it's all just going under /var/chroot/apache.
So anyway, if anyone would like to test any of this stuff feel free. Let
me know how it turns out. I'm also open to any suggestions on things I
should change or other things I should implement. I would like to start
by chrooting other daemons including bind and ntpd.
I think all of these things would make a good addition to a 'Secure
Gentoo'.
-Matt Rickard
--
gentoo-dev@gentoo.org mailing list
next reply other threads:[~2003-02-11 1:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-11 0:53 Matt Rickard [this message]
2003-02-11 2:23 ` [gentoo-dev] ProPolice enabled gcc/gentoo and chrooted Apache Dylan Carlson
2003-02-11 3:33 ` Matt Rickard
2003-02-12 14:37 ` Alain Penders
2003-02-12 22:51 ` Matt Rickard
2003-02-11 2:45 ` Todd Heim
2003-02-11 3:15 ` Matt Rickard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030210195308.7de1621d.mjr318@psu.edu \
--to=mjr318@psu.edu \
--cc=gentoo-dev@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox