From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1FK78J-0004Dj-Ix for garchives@archives.gentoo.org; Fri, 17 Mar 2006 05:04:16 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5.20060308/8.13.5) with SMTP id k2H52WXU007287; Fri, 17 Mar 2006 05:02:32 GMT Received: from gw.open-hosting.net (gw.open-hosting.net [65.64.29.89]) by robin.gentoo.org (8.13.5.20060308/8.13.5) with ESMTP id k2H52VPq006128 for ; Fri, 17 Mar 2006 05:02:32 GMT Received: from spanky.linuxwiz.net (c-68-51-10-211.hsd1.ar.comcast.net [68.51.10.211]) by gw.open-hosting.net (8.13.4/8.13.3) with ESMTP id k2H52N36028026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 16 Mar 2006 23:02:29 -0600 From: Mikey To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] Stupid Hardened Questions User-Agent: KMail/1.9.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 X-Length: 3518 X-UID: 145 Date: Thu, 16 Mar 2006 23:02:19 -0600 Content-Type: multipart/signed; boundary="nextPart5044128.JXxpHC8Fo7"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200603162302.20007.mikey@badpenguins.com> X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on gw.open-hosting.net X-Virus-Status: Clean X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.4-gr0 X-Spam-Checker-Version: SpamAssassin 3.0.4-gr0 (2005-06-05) on gw.open-hosting.net X-Archives-Salt: d5e4a81f-4ac9-4916-89f7-82762f2206c3 X-Archives-Hash: 3cf24a33247637e5066ebaae268b7268 --nextPart5044128.JXxpHC8Fo7 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I have decided to take the hardened profile for a spin on a couple of my=20 edge servers. I grabbed stage1-x86-hardened-2.6-2006.0.tar.bz2, verified=20 the profile was set to profiles/hardened/x86/2.6/, did my bootstrap and=20 emerge -e system. Everything looks to have gone ok. What I am curious about is the fact that I didn't really notice any special= =20 CFLAGS being used while everything was compiling. Various documents tell=20 me it is transparent, that the settings are read from the gcc spec file. =20 Should I not be seeing cflags specific to hardened settings while=20 everything is compiling? gcc-config -l shows: [1] i686-pc-linux-gnu-3.4.5 * [2] i686-pc-linux-gnu-3.4.5-hardenednopie [3] i686-pc-linux-gnu-3.4.5-hardenednopiessp [4] i686-pc-linux-gnu-3.4.5-hardenednossp [5] i686-pc-linux-gnu-3.4.5-vanilla When I look in /etc/env.d/05gcc, nothing is set for GCC_SPECS: PATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" MANPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" LDPATH=3D"/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCC_SPECS=3D"" /etc/env.d/gcc/config points to i686-pc-linux-gnu-3.4.5, which contains: PATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" LDPATH=3D"/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCCBITS=3D"32" MANPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" STDCXX_INCDIR=3D"g++-v3" When I look at some of the other config files such as=20 i686-pc-linux-gnu-3.4.5-hardenednopie, it defines a GCC_SPECS file: PATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH=3D"/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" LDPATH=3D"/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCCBITS=3D"32" MANPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH=3D"/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" STDCXX_INCDIR=3D"g++-v3" GCC_SPECS=3D"/usr/lib/gcc/i686-pc-linux-gnu/3.4.5/hardenednopie.specs" So I guess my question is - how do I know everything is actually being=20 compiled with the hardened specific flags? A diff=20 on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs shows no=20 differences, is it safe to assume the default specs file is being used even= =20 though it is not being set anywhere in the environment? --nextPart5044128.JXxpHC8Fo7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQBEGkLbvLQEgKTTl9MRAgg4AKCUOIC2PKAGwWCaVtAG3cUjszOYUgCdHDEx mi08NDnutzrkli9KUhFXAGQ= =Jsuw -----END PGP SIGNATURE----- --nextPart5044128.JXxpHC8Fo7-- -- gentoo-hardened@gentoo.org mailing list