From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2330-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LGJaf-0003wn-8k
	for garchives@archives.gentoo.org; Fri, 26 Dec 2008 20:47:25 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B9CC1E058D;
	Fri, 26 Dec 2008 20:47:23 +0000 (UTC)
Received: from mail-bw0-f12.google.com (mail-bw0-f12.google.com [209.85.218.12])
	by pigeon.gentoo.org (Postfix) with ESMTP id 18538E058D
	for <gentoo-hardened@lists.gentoo.org>; Fri, 26 Dec 2008 20:47:22 +0000 (UTC)
Received: by bwz5 with SMTP id 5so3967269bwz.10
        for <gentoo-hardened@lists.gentoo.org>; Fri, 26 Dec 2008 12:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=azLRHE2dvrnJ0c/pRzghZceG/+bYjUGipqhIoTOHx+8=;
        b=ZOnKGC430JnzFqDYPXG2xfUl7hXZTY7eFhPG6eiIvu0nUCCbtUlbspVur7vOYESNMt
         Z2DCcj3SO89DCjfkwMgFdBWauWLxx1dNWy/3QrWyMKijABTxPgQ5+16xGuIkr2g6R83S
         tewNo1lTR4dV199mMOoXyv50uNtdfvxxd1YqY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=qGi16RvkWGRH74gXTMzJMI2n59k95OZYHF7kn7QOyo0hCNh11/EKbZBOwT2Lr2ovzA
         PQVIoFiJZ/4NpQoM52bSSm5i4WhzcEzcDXJyMo0A5lm1yDBw5mCw7R6NqIRHLcTgtORF
         UF9x9WmIzhfeIRP7d4Z9WIoSnllYO1KOqntjM=
Received: by 10.181.48.13 with SMTP id a13mr4106130bkk.97.1230324441918;
        Fri, 26 Dec 2008 12:47:21 -0800 (PST)
Received: by 10.180.204.12 with HTTP; Fri, 26 Dec 2008 12:47:21 -0800 (PST)
Message-ID: <49bf44f10812261247l2997a51axe9a3b5a581994f0b@mail.gmail.com>
Date: Fri, 26 Dec 2008 12:47:21 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <49515B9F.4030006@moremagic.com>
	 <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com>
	 <200812241621.13188.gengor@gentoo.org>
	 <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com>
	 <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com>
	 <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com>
	 <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com>
X-Archives-Salt: 7bbc3893-6400-46ae-88a6-9b86de52f8a0
X-Archives-Hash: 80047ab4ff0dfe73810b6a16c6fc6086

> Without hardened userland only in access controls. You can implement
> for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
> SELinux. They could try to stop crackers that gain unpriviledge access
> to the host (with a remote exploit for example) to execute exploits to
> scale priviledges. They could give you one least priviledge approach
> (as PaX does) and other useful things, as isolation of daemons,
> resources controls. And a lot of more. With TPE however, untrusted
> scripts (exploits) could be launched without execution rights, and
> even restricting the use of perl and python, you must grant your users
> the access to bash.

Thank you for taking the time to explain, but I'm afraid I don't
understand.  I'm looking for things I can implement that don't require
me to understand their inner workings.  This is not ideal, but I only
have so much time to devote to sysadmin duties since I'm not a real
sysadmin.  My server runs a hardened profile because it hasn't caused
any problems, but running a hardened profile on my desktops has proven
to be too difficult.  All of my systems run a hardened kernel but the
only hardened feature I've enabled in the kernel is Grsecurity set to
medium or low depending on the system.

Do the hardened profile and hardened kernels do me any good without
further configuration?

- Grant

>>> In terms of userland, non hardened profile doesn't protect you at all
>>> against buffer overflows, you are removing one important security
>>> layer. SSP protects you against buffer overflows in terms that the
>>> vulnerable application gets killed when the canary is modified before
>>> the execution of the arbitrary code. PIE protects you against return
>>> into libc attacks that doesn't need an executable stack. PaX is not
>>> perfect and needs them as complementary solutions. For example I think
>>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>>> uses return into libc attack could be succesfully against one
>>> non-hardened binary. Since skype is a network oriented software...
>>
>> In what situations is a hardened kernel useful?
>>
>> - Grant