* [gentoo-hardened] persistent paxctl -m?
@ 2009-04-09 16:07 Grant
2009-04-09 16:10 ` klondike
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Grant @ 2009-04-09 16:07 UTC (permalink / raw
To: gentoo-hardened
I seem to need to remember to paxctl -m the firefox binary whenever I
upgrade firefox. This inevitably leads to a browser crash and lost
time/info. Can I set up paxctl -m to persist, even if firefox is
upgraded?
- Grant
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:07 [gentoo-hardened] persistent paxctl -m? Grant
@ 2009-04-09 16:10 ` klondike
2009-04-09 17:37 ` Ned Ludd
2009-04-09 16:13 ` [gentoo-hardened] " Thomas Sachau
2009-04-09 16:14 ` Alex Efros
2 siblings, 1 reply; 14+ messages in thread
From: klondike @ 2009-04-09 16:10 UTC (permalink / raw
To: gentoo-hardened
2009/4/9 Grant <emailgrant@gmail.com>:
> I seem to need to remember to paxctl -m the firefox binary whenever I
> upgrade firefox. This inevitably leads to a browser crash and lost
> time/info. Can I set up paxctl -m to persist, even if firefox is
> upgraded?
You can't unless you modify the ebuilds as that info is stored in the
executable file.
The best you can do is open a bug and try to convince the mozilla
maintainers to add that feature.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:07 [gentoo-hardened] persistent paxctl -m? Grant
2009-04-09 16:10 ` klondike
@ 2009-04-09 16:13 ` Thomas Sachau
2009-04-09 16:14 ` Alex Efros
2 siblings, 0 replies; 14+ messages in thread
From: Thomas Sachau @ 2009-04-09 16:13 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 421 bytes --]
Grant schrieb:
> I seem to need to remember to paxctl -m the firefox binary whenever I
> upgrade firefox. This inevitably leads to a browser crash and lost
> time/info. Can I set up paxctl -m to persist, even if firefox is
> upgraded?
>
> - Grant
>
>
paxctl works on a per-binary-base, with a new firefox version, there is a new binary, so cannot persist.
--
Thomas Sachau
Gentoo Linux Developer
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:07 [gentoo-hardened] persistent paxctl -m? Grant
2009-04-09 16:10 ` klondike
2009-04-09 16:13 ` [gentoo-hardened] " Thomas Sachau
@ 2009-04-09 16:14 ` Alex Efros
2009-04-09 16:21 ` Alex Efros
2 siblings, 1 reply; 14+ messages in thread
From: Alex Efros @ 2009-04-09 16:14 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Thu, Apr 09, 2009 at 09:07:39AM -0700, Grant wrote:
> I seem to need to remember to paxctl -m the firefox binary whenever I
> upgrade firefox. This inevitably leads to a browser crash and lost
> time/info. Can I set up paxctl -m to persist, even if firefox is
> upgraded?
Put this into your /etc/portage/bashrc:
---cut---
if [ "x${EBUILD_PHASE}" != "x" ]; then
if [ -x "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PF}.${EBUILD_PHASE}"
elif [ -x "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${P}.${EBUILD_PHASE}"
elif [ -x "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}" ]; then
source "/etc/portage/bashrc.d/${CATEGORY}/${PN}.${EBUILD_PHASE}"
fi
fi
---cut---
Next, create directory:
mkdir -p /etc/portage/bashrc.d/www-client/
and create executable shell script in that dir: mozilla-firefox-bin.postinst
---cut---
#!/bin/bash
ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on flash!"
chpax -m /opt/firefox/firefox-bin
---cut---
--
WBR, Alex.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:14 ` Alex Efros
@ 2009-04-09 16:21 ` Alex Efros
2009-04-10 3:35 ` Pavel Labushev
0 siblings, 1 reply; 14+ messages in thread
From: Alex Efros @ 2009-04-09 16:21 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Thu, Apr 09, 2009 at 07:14:11PM +0300, Alex Efros wrote:
> and create executable shell script in that dir: mozilla-firefox-bin.postinst
> ---cut---
> #!/bin/bash
> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on flash!"
> chpax -m /opt/firefox/firefox-bin
> ---cut---
Of course, if you compile firefox instead of using firefox-bin, then file
should be named mozilla-firefox.postinst and you should use there paxctl
instead of chpax.
--
WBR, Alex.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:10 ` klondike
@ 2009-04-09 17:37 ` Ned Ludd
2009-04-09 20:59 ` [gentoo-hardened] " 7v5w7go9ub0o
0 siblings, 1 reply; 14+ messages in thread
From: Ned Ludd @ 2009-04-09 17:37 UTC (permalink / raw
To: gentoo-hardened
On Thu, 2009-04-09 at 18:10 +0200, klondike wrote:
> 2009/4/9 Grant <emailgrant@gmail.com>:
> > I seem to need to remember to paxctl -m the firefox binary whenever I
> > upgrade firefox. This inevitably leads to a browser crash and lost
> > time/info. Can I set up paxctl -m to persist, even if firefox is
> > upgraded?
> You can't unless you modify the ebuilds as that info is stored in the
> executable file.
>
> The best you can do is open a bug and try to convince the mozilla
> maintainers to add that feature.
That would be just wrong. firefox itself behaves. It's more likely he is
using a plugin which does not.
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux
^ permalink raw reply [flat|nested] 14+ messages in thread
* [gentoo-hardened] Re: persistent paxctl -m?
2009-04-09 17:37 ` Ned Ludd
@ 2009-04-09 20:59 ` 7v5w7go9ub0o
0 siblings, 0 replies; 14+ messages in thread
From: 7v5w7go9ub0o @ 2009-04-09 20:59 UTC (permalink / raw
To: gentoo-hardened
Ned Ludd wrote:
>
>
> ................... firefox itself behaves. It's more likely he is
> using a plugin which does not.
>
Ditto the above. No FF problems at all, compiling with the 4.33 overlay
on AMD64.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-09 16:21 ` Alex Efros
@ 2009-04-10 3:35 ` Pavel Labushev
2009-04-10 16:29 ` Grant
2009-04-11 13:06 ` Alex Efros
0 siblings, 2 replies; 14+ messages in thread
From: Pavel Labushev @ 2009-04-10 3:35 UTC (permalink / raw
To: gentoo-hardened
Alex Efros ?????:
> Hi!
>
> On Thu, Apr 09, 2009 at 07:14:11PM +0300, Alex Efros wrote:
>
>> and create executable shell script in that dir: mozilla-firefox-bin.postinst
>> ---cut---
>> #!/bin/bash
>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on flash!"
>> chpax -m /opt/firefox/firefox-bin
>> ---cut---
>>
>
> Of course, if you compile firefox instead of using firefox-bin, then file
> should be named mozilla-firefox.postinst and you should use there paxctl
> instead of chpax.
>
A simple cron job or slightly-less-simple RBAC policy can do the trick.
There's no need to mess with portage, imho.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-10 3:35 ` Pavel Labushev
@ 2009-04-10 16:29 ` Grant
2009-04-10 18:08 ` atoth
2009-04-10 18:52 ` Ned Ludd
2009-04-11 13:06 ` Alex Efros
1 sibling, 2 replies; 14+ messages in thread
From: Grant @ 2009-04-10 16:29 UTC (permalink / raw
To: gentoo-hardened
>>> and create executable shell script in that dir: mozilla-firefox-bin.postinst
>>> ---cut---
>>> #!/bin/bash
>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on flash!"
>>> chpax -m /opt/firefox/firefox-bin
>>> ---cut---
>>>
>>
>> Of course, if you compile firefox instead of using firefox-bin, then file
>> should be named mozilla-firefox.postinst and you should use there paxctl
>> instead of chpax.
>>
> A simple cron job or slightly-less-simple RBAC policy can do the trick.
> There's no need to mess with portage, imho.
Thanks for the suggestions everyone. I think this type of persistence
should be built into portage. Maybe /etc/portage/package.nomprotect.
Do you agree? Should I file a bug?
- Grant
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-10 16:29 ` Grant
@ 2009-04-10 18:08 ` atoth
2009-04-12 0:03 ` Grant
2009-04-10 18:52 ` Ned Ludd
1 sibling, 1 reply; 14+ messages in thread
From: atoth @ 2009-04-10 18:08 UTC (permalink / raw
To: gentoo-hardened
Don't agree.
If you employ GRsecurity's RBAC, you can use PAX flags, like
"PAX_MPROTECT" on a given subject (binary). Take a look at on the example
policy file.
Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist, +36-20-825-8057, +36-30-5962-962
On Pén, Április 10, 2009 18:29, Grant wrote:
>>>> and create executable shell script in that dir:
>>>> mozilla-firefox-bin.postinst
>>>> ---cut---
>>>> #!/bin/bash
>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on
>>>> flash!"
>>>> chpax -m /opt/firefox/firefox-bin
>>>> ---cut---
>>>>
>>>
>>> Of course, if you compile firefox instead of using firefox-bin, then
>>> file
>>> should be named mozilla-firefox.postinst and you should use there
>>> paxctl
>>> instead of chpax.
>>>
>> A simple cron job or slightly-less-simple RBAC policy can do the trick.
>> There's no need to mess with portage, imho.
>
> Thanks for the suggestions everyone. I think this type of persistence
> should be built into portage. Maybe /etc/portage/package.nomprotect.
> Do you agree? Should I file a bug?
>
> - Grant
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-10 16:29 ` Grant
2009-04-10 18:08 ` atoth
@ 2009-04-10 18:52 ` Ned Ludd
1 sibling, 0 replies; 14+ messages in thread
From: Ned Ludd @ 2009-04-10 18:52 UTC (permalink / raw
To: gentoo-hardened
> Thanks for the suggestions everyone. I think this type of persistence
> should be built into portage. Maybe /etc/portage/package.nomprotect.
> Do you agree? Should I file a bug?
Not really. No.
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-10 3:35 ` Pavel Labushev
2009-04-10 16:29 ` Grant
@ 2009-04-11 13:06 ` Alex Efros
1 sibling, 0 replies; 14+ messages in thread
From: Alex Efros @ 2009-04-11 13:06 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Fri, Apr 10, 2009 at 11:35:36AM +0800, Pavel Labushev wrote:
> A simple cron job or slightly-less-simple RBAC policy can do the trick.
> There's no need to mess with portage, imho.
Cron job is just waste of time (this is one-time task after installing
package, not once-per-minute task) and race condition (after installing
package but before running cron job it may be run and will segfault).
That's not mess with portage because portage right now control PaX flags
for many packages anyway. But it doesn't set PaX flags for firefox or
mplayer, because they able to work without this (if you don't use flash
with firefox and don't use win32codecs with mplayer) and probably because
these packages unlikely will be installed on hardened server.
Also using given /etc/portage/bashrc I not only set paxctl -m, but also
switch gcc to hardened-nossp while compiling several packets (to workaround
http://bugs.gentoo.org/show_bug.cgi?id=217112) and rebuild CPAN module
Scalar::Util after recompiling perl (needed because I don't use portage to
manage perl modules).
So, it used not to mess with portage, but to automate some tasks required
while/after emerging packages to keep system working in my configuration.
--
WBR, Alex.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-10 18:08 ` atoth
@ 2009-04-12 0:03 ` Grant
2009-04-12 6:49 ` atoth
0 siblings, 1 reply; 14+ messages in thread
From: Grant @ 2009-04-12 0:03 UTC (permalink / raw
To: gentoo-hardened
> If you employ GRsecurity's RBAC, you can use PAX flags, like
> "PAX_MPROTECT" on a given subject (binary). Take a look at on the example
> policy file.
Do you guys think RBAC or /etc/portage/bashrc is a better choice for
this? Maybe RBAC is overkill if this is all I'll be using it for?
- Grant
>>>>> and create executable shell script in that dir:
>>>>> mozilla-firefox-bin.postinst
>>>>> ---cut---
>>>>> #!/bin/bash
>>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on
>>>>> flash!"
>>>>> chpax -m /opt/firefox/firefox-bin
>>>>> ---cut---
>>>>>
>>>>
>>>> Of course, if you compile firefox instead of using firefox-bin, then
>>>> file
>>>> should be named mozilla-firefox.postinst and you should use there
>>>> paxctl
>>>> instead of chpax.
>>>>
>>> A simple cron job or slightly-less-simple RBAC policy can do the trick.
>>> There's no need to mess with portage, imho.
>>
>> Thanks for the suggestions everyone. I think this type of persistence
>> should be built into portage. Maybe /etc/portage/package.nomprotect.
>> Do you agree? Should I file a bug?
>>
>> - Grant
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [gentoo-hardened] persistent paxctl -m?
2009-04-12 0:03 ` Grant
@ 2009-04-12 6:49 ` atoth
0 siblings, 0 replies; 14+ messages in thread
From: atoth @ 2009-04-12 6:49 UTC (permalink / raw
To: gentoo-hardened
On Vas, Április 12, 2009 02:03, Grant wrote:
>> If you employ GRsecurity's RBAC, you can use PAX flags, like
>> "PAX_MPROTECT" on a given subject (binary). Take a look at on the
>> example
>> policy file.
>
> Do you guys think RBAC or /etc/portage/bashrc is a better choice for
> this? Maybe RBAC is overkill if this is all I'll be using it for?
>
It takes time to refine a policy and it needs some tuning from time to
time. If you haven't utilized any RBAC (Grsecurity, RSBAC) on your system
yet, it's high time to give it a try.
So I should say, that bashrc is not the best choice from the security
point of view, but in the mean time it's not an overkill either...
Regards:
Dw.
>
>>>>>> and create executable shell script in that dir:
>>>>>> mozilla-firefox-bin.postinst
>>>>>> ---cut---
>>>>>> #!/bin/bash
>>>>>> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on
>>>>>> flash!"
>>>>>> chpax -m /opt/firefox/firefox-bin
>>>>>> ---cut---
>>>>>>
>>>>>
>>>>> Of course, if you compile firefox instead of using firefox-bin, then
>>>>> file
>>>>> should be named mozilla-firefox.postinst and you should use there
>>>>> paxctl
>>>>> instead of chpax.
>>>>>
>>>> A simple cron job or slightly-less-simple RBAC policy can do the
>>>> trick.
>>>> There's no need to mess with portage, imho.
>>>
>>> Thanks for the suggestions everyone. I think this type of persistence
>>> should be built into portage. Maybe /etc/portage/package.nomprotect.
>>> Do you agree? Should I file a bug?
>>>
>>> - Grant
>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2009-04-12 6:49 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-09 16:07 [gentoo-hardened] persistent paxctl -m? Grant
2009-04-09 16:10 ` klondike
2009-04-09 17:37 ` Ned Ludd
2009-04-09 20:59 ` [gentoo-hardened] " 7v5w7go9ub0o
2009-04-09 16:13 ` [gentoo-hardened] " Thomas Sachau
2009-04-09 16:14 ` Alex Efros
2009-04-09 16:21 ` Alex Efros
2009-04-10 3:35 ` Pavel Labushev
2009-04-10 16:29 ` Grant
2009-04-10 18:08 ` atoth
2009-04-12 0:03 ` Grant
2009-04-12 6:49 ` atoth
2009-04-10 18:52 ` Ned Ludd
2009-04-11 13:06 ` Alex Efros
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox