From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L53x8-0004rp-Ft for garchives@archives.gentoo.org; Tue, 25 Nov 2008 19:52:06 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 93A04E051A; Tue, 25 Nov 2008 19:52:06 +0000 (UTC) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by pigeon.gentoo.org (Postfix) with ESMTP id 51DB7E051A for ; Tue, 25 Nov 2008 19:52:06 +0000 (UTC) Received: by nf-out-0910.google.com with SMTP id c7so68111nfi.26 for ; Tue, 25 Nov 2008 11:52:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:message-id; bh=rumK/uih86TvICCroFrsyi5Q/p2z8XBa/nW8XTTmQi8=; b=QrBg6MA6w55I+n6BuVoXrdEQRZ3BYw5rGlw/5rJKPhMJSySX3dna/fuuIS9HMRhmU1 ftjRJpmCyEeeuh78fJtzoA/0BTYvD0ENIuWbCGBi2lBE32FpyoYnyZxeSknrjvTzqzE8 ufambQsvnyJAtAkN5qomP80zNlj9BDl4uUVJY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :message-id; b=RNS/r9ga4lmSir/+iri8BaFsWomey9dL20UPHzQDoAGUT0GOLV89MLHicwun37zP3l yIXtyepOMDJRNjeRoHUSYbeK9tPXt3890Vg6rxrvtI8l+PfEX6cbLearzZQd30R/cuic tkaMGalU1Y9uh63umE0aJXX0yW0EDCAdCMdHI= Received: by 10.210.66.13 with SMTP id o13mr1880606eba.176.1227642723884; Tue, 25 Nov 2008 11:52:03 -0800 (PST) Received: from ?192.168.7.111? ([62.63.130.154]) by mx.google.com with ESMTPS id z37sm6949077ikz.17.2008.11.25.11.52.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 25 Nov 2008 11:52:03 -0800 (PST) From: Jan Klod To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] hardened workstation - is that worth it? Date: Tue, 25 Nov 2008 18:39:26 +0200 User-Agent: KMail/1.9.9 References: <200811251700.45540.janklodvan@gmail.com> <20081125155641.GM1806@home.power> In-Reply-To: <20081125155641.GM1806@home.power> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200811251839.26200.janklodvan@gmail.com> X-Archives-Salt: 99e68d8d-4ec8-4c51-9b87-ab2f23e4d51e X-Archives-Hash: de9e76d75603bcd20b4c50ae4a1d2bc4 On Tuesday 25 November 2008 17:56:41 Alex Efros wrote: > Hi! > > On Tue, Nov 25, 2008 at 05:00:45PM +0200, Jan Klod wrote: > > Suppose, I want to take some extra precautions and set up PaX&co and MAC > > on a workstation with Xorg and other nice KDE apps (only some of which > > should be granted access to files in folder X). I would like to read > > others opinion, if I can get considerable security improvements or I will > > have to make that much of exceptions to those good rules, as it makes > > protection too useless? > > Not sure about MAC, but GrSec + PaX + hardened toolchain is nice to have. > Unlike MAC, it's ease to setup, and there only few applications require > some weakening of security (using paxctl). > I use hardened workstation configured this way for years. Could you post a list of apps, that need PaX lifted? Also there is another question: has anyone made some benchmarks to see how much raw computing power (CPU+RAM access, which happen during some purely computational task) decreases?