From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from <gentoo-hardened+bounces-2397-garchives=archives.gentoo.org@lists.gentoo.org>) id 1LQDOr-0000hw-Dw for garchives@archives.gentoo.org; Fri, 23 Jan 2009 04:12:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 21A55E07ED; Fri, 23 Jan 2009 04:12:07 +0000 (UTC) Received: from rv-out-0708.google.com (rv-out-0708.google.com [209.85.198.247]) by pigeon.gentoo.org (Postfix) with ESMTP id E7A2EE07ED for <gentoo-hardened@lists.gentoo.org>; Fri, 23 Jan 2009 04:12:06 +0000 (UTC) Received: by rv-out-0708.google.com with SMTP id b17so4929592rvf.46 for <gentoo-hardened@lists.gentoo.org>; Thu, 22 Jan 2009 20:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=s9NZ2g293aq46eLfbbBWP11g7jXA+Qu5wK6Ax315tvM=; b=I7iU7oBnZcWTOB6SGapK+gpF1g5U/pqFGgLvOH28+c29McRC7oVLvb5wMl76B9vQyh y0t3tKBdfNwsZXczoqfgUtQciw0S9TwTarbZ+gHrZo2WtUWabOPhIvpU6AhK4ruu26Yt kmk9TojIFoXt0q4kkVFRt6AaUxHtHSLOK13k0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=xvs2h5IYxEi4iJee/RjWBPOgDcBV67uMtF9YGh5jolaJGHktT4z5rUg9f/8nMy4elU vkBDGDpRCNBc2ox91g2OcBHMBhhLHYXrIJ0ukEbxy76IPCjCjmaXZxq9JeeODXud66Ed Jrmxe47HoJusRgO2NPz4jCnxWA1GtSH9ESxJA= Precedence: bulk List-Post: <mailto:gentoo-hardened@lists.gentoo.org> List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org> X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.140.177.15 with SMTP id z15mr3185479rve.114.1232683925934; Thu, 22 Jan 2009 20:12:05 -0800 (PST) In-Reply-To: <49bf44f10901221907ie90aaa7rc87fe6bd5b160b97@mail.gmail.com> References: <49bf44f10901221106n630d668fwc7fe390f53a600b8@mail.gmail.com> <4255c2570901221126p1d52dbc3r649fbf21793fd49a@mail.gmail.com> <49bf44f10901221301k47941d92lc717e237a657e139@mail.gmail.com> <4255c2570901221308y37ee8f26i11f33c9e3bbf5626@mail.gmail.com> <49bf44f10901221907ie90aaa7rc87fe6bd5b160b97@mail.gmail.com> Date: Thu, 22 Jan 2009 21:12:05 -0700 Message-ID: <4255c2570901222012w5b79c3a1pc8f214e19b0fe012@mail.gmail.com> Subject: Re: [gentoo-hardened] 'paxctl -m bin' everything that complains? From: RB <aoz.syn@gmail.com> To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: aabb5f55-8b1a-43e1-91d6-54e597479a2b X-Archives-Hash: d251d9bc483f891df5abfa22d393687b On Thu, Jan 22, 2009 at 20:07, Grant <emailgrant@gmail.com> wrote: > It turns out I need to issue 'paxctl -m > /usr/lib64/mozilla-firefox/firefox' to prevent firefox from crashing > when watching a cnn.com video. Is that a huge security issue? That's up to you. In running X and firefox, you've probably made enough compromises that one more isn't going to make that much more of a difference. That said, execution protections (like MPROTECT) are probably some of the more critical ones you're going to have, due to the way most malware works, and turning them off on a browser is probably unwise. Security is always a balance of control & usability, choose yours and live with it.