From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LG1s8-0005b6-JJ for garchives@archives.gentoo.org; Fri, 26 Dec 2008 01:52:16 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0BC7FE02A0; Fri, 26 Dec 2008 01:52:14 +0000 (UTC) Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12]) by pigeon.gentoo.org (Postfix) with ESMTP id 83CDCE02A0 for ; Fri, 26 Dec 2008 01:52:13 +0000 (UTC) Received: by bwz5 with SMTP id 5so3166454bwz.10 for ; Thu, 25 Dec 2008 17:52:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=v5E1S8UQwyvpjhOKSzpy1gnmUZhjT/dUYJ5ePbqRLgU=; b=Qe2+bOLZKgOzHQYg7yo3uAR9IzYHqRXlgmhlsojUUuQovz/wzKAQBPz8wkJ4qFan62 GZYOzQXzifj2XgkgsjpiICYAvCwzk6Aef1eLKRMjFLePg5skl9Nq9lYZXfDIKjWldUTj asiP1E1fp1WAxUCmID9CPuiWGa6cXHBFSqHew= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=t4JfmVozm/PGSzT+EhI2UkMsVQhOqiT4AKo349Ix7AEI/TkyJm39+dSpD8yJryTv4z s5of5pvrUphDvaVpT+uJ378dI5z8PRJAOiMI8uoL0eqim1ZjAOX/w+OWcuoCnr98iqNX 7DUMzXcCwyhJR+Clwsb5/HIH2ADe9Oj4pF/2U= Received: by 10.181.197.6 with SMTP id z6mr3769698bkp.119.1230256332360; Thu, 25 Dec 2008 17:52:12 -0800 (PST) Received: by 10.180.204.12 with HTTP; Thu, 25 Dec 2008 17:52:12 -0800 (PST) Message-ID: <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com> Date: Thu, 25 Dec 2008 17:52:12 -0800 From: Grant To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened? In-Reply-To: <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com> <49515B9F.4030006@moremagic.com> <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com> <200812241621.13188.gengor@gentoo.org> <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com> <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com> X-Archives-Salt: f2c159ba-89a5-417d-b0d3-0f232ee46371 X-Archives-Hash: b45cc4680351f8a928e24c3c3de41c34 > In terms of userland, non hardened profile doesn't protect you at all > against buffer overflows, you are removing one important security > layer. SSP protects you against buffer overflows in terms that the > vulnerable application gets killed when the canary is modified before > the execution of the arbitrary code. PIE protects you against return > into libc attacks that doesn't need an executable stack. PaX is not > perfect and needs them as complementary solutions. For example I think > that RANDEXEC was removed from PaX time ago, one buffer overflow that > uses return into libc attack could be succesfully against one > non-hardened binary. Since skype is a network oriented software... In what situations is a hardened kernel useful? - Grant >>> Hardened profiles: Yes there's a difference, no you should not switch to >>> hardened/linux/${ARCH} at this time. >> >> Is hardened/x86/2.6 still available for new installations? My other >> systems are amd64 but none of them list hardened/amd64/2.6. >> >>> You can get skype working by downloading or building gcc 4.1.x and pointing >>> LD_LIBRARY_PATH at the shared object directory when starting skype. skype >>> won't be using hardened toolchain but since its closed source and you're >>> willing to switch the whole machine to non-hardened I figure you probably >>> don't mind. ;) >>> >>> Example: >>> 1. Download >>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2 >>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/ >>> 3. Run it: >>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/" >>> skype >>> >>> If you only require VoIP capability and not skype specifically you might be >>> interested net-im/ekiga. >> >> Thank you very much for that, but I'm trying to simplify. You see, >> I'm only a fake sysadmin. Does using a hardened kernel with a >> non-hardened profile still offer good protection? >> >> - Grant >> >>>> > I've been able to do so; basically I switched over to the standard >>>> > profile, disabled selinux in the kernel, and re-emerged system for new >>>> > use flags. There were some other details but overall the process was >>>> > pretty painless, anyone ambitious enough to configure a hardened system >>>> > can probably handle the switch without much problem. Not that I'm >>>> > encouraging you to drop hardened (especially on a laptop that could be >>>> > exposed to random wifi networks ;-) >>>> >>>> Is there any difference between 1 and 8 here? Should I switch to 8? >>>> >>>> # eselect profile list >>>> Available profile symlink targets: >>>> [1] hardened/x86/2.6 * >>>> [2] selinux/2007.0/x86 >>>> [3] selinux/2007.0/x86/hardened >>>> [4] default/linux/x86/2008.0 >>>> [5] default/linux/x86/2008.0/desktop >>>> [6] default/linux/x86/2008.0/developer >>>> [7] default/linux/x86/2008.0/server >>>> [8] hardened/linux/x86 >>>> >>>> - Grant >>>> >>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened >>>> >> one? I thought this was impossible without a complete reinstall but >>>> >> folks on the gentoo-user list seem to think it's not a problem. >>>> >> >>>> >> - Grant