From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L8eWZ-00044M-Th for garchives@archives.gentoo.org; Fri, 05 Dec 2008 17:31:32 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B523EE0341; Fri, 5 Dec 2008 17:31:30 +0000 (UTC) Received: from yw-out-1718.google.com (yw-out-1718.google.com [74.125.46.155]) by pigeon.gentoo.org (Postfix) with ESMTP id 8C9AEE0341 for ; Fri, 5 Dec 2008 17:31:30 +0000 (UTC) Received: by yw-out-1718.google.com with SMTP id 5so60187ywm.46 for ; Fri, 05 Dec 2008 09:31:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=VeLbVDE9hKTgE7PM7M+1X9YRUCHGvmgxTcpQm8ltlnY=; b=ER1duHR7pqIEG/wYhV2YyZQbdxXh+kwLtIbXWA7TyJxprs2jMeJcc6RdVDVadO23Hk OmGVdrMDBYOBRSbsEpBwWZ8u/bSePP1KIyuHi78BI8g80trPya+CuB3Qu8Aytjpt3ykK wNDlpeA29pTcZHbb1RbRB1H4pkD+yh/QjNWAk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=i/kmXNkJvbFDmSVl1x9O8gUhizv+vRal5uC6PFpJ12tWVYlyOzPx9jU6lR3PSISOTF iFvcY0FkUv4/9kpa40/wcoF6knqssGHYBzMDhL8f3c3Ten5jM80mXPpXTpuLyt0J0Ukh T+tbS3jTyKhJgaajH8vmK/WhYzAtHlYLluQXc= Received: by 10.103.241.5 with SMTP id t5mr121380mur.127.1228498289517; Fri, 05 Dec 2008 09:31:29 -0800 (PST) Received: by 10.103.214.9 with HTTP; Fri, 5 Dec 2008 09:31:29 -0800 (PST) Message-ID: <897813410812050931y50951323p301338bfdbc32d34@mail.gmail.com> Date: Fri, 5 Dec 2008 18:31:29 +0100 From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] hardened workstation - is that worth it? In-Reply-To: <897813410812050921k1985ae7ar7caf712993423bc3@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200811251700.45540.janklodvan@gmail.com> <4255c2570811251158n28f3274ch34e87a1a3f1eacb6@mail.gmail.com> <897813410811251236o33ba4f18ne8cf71c873c6db4d@mail.gmail.com> <493956E7.26292.956C347@pageexec.freemail.hu> <897813410812050921k1985ae7ar7caf712993423bc3@mail.gmail.com> X-Archives-Salt: 332b36d1-3b12-4f29-9070-653a354e7f9d X-Archives-Hash: b0d8ddcf77a1d2905c39205f254e09cf One more thing, this could be understood wrongly in one earlier mail I sent and was caused by my horrible english, Before the filesystem capabilities one process with only CAP_SYS_RAWIO and the others restricted could add all others capabilities missing by simply searching the cap_bset in their system.map and writting 0xFFFFFEFF in it through /dev/mem. This set the maximum capabilities that a new process could get, so, one system restricted to CAP_SYS_RAWIO could restore the complete Cap_bound set. You could remove for example an inmutable flag from a binary with only CAP_SYS_RAWIO, because you could set CAP_SYS_IMMUTABLE on in the cap_bset 2008/12/5 Javier Mart=EDnez : > Have you said me that I'm obsoleted?, ok, I agreed with you... o:), > but since I don't use xorg in servers... no problem. You still having > the other problems I commented. One question, somebody knows what made > xorg incompatible with pax mprotect restrictions in earlier versions?. > > I put you a link that is newer than the link that Brian Kroth posted > and still having the incompatibilities on: > http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml, maybe a > mistake? > 2008/12/5 : >> On 25 Nov 2008 at 21:36, Javier Mart=EDnez wrote: >> >>> In my opinion getting X-window running is bad in security concerns, by >>> this reasons: >>> - First: PaX should be disable in mprotect terms since Xorg needs it >>> (with it refuse to run) . >> >> - PaX flags: -------x-e-- [/usr/bin/Xorg] >> >> and it works for me... so why do you need to disable MPROTECT on your Xo= rg? >> >> >> >