From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2329-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1LGIBY-0003xY-8w
	for garchives@archives.gentoo.org; Fri, 26 Dec 2008 19:17:24 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 29692E0523;
	Fri, 26 Dec 2008 19:17:17 +0000 (UTC)
Received: from mail-fx0-f20.google.com (mail-fx0-f20.google.com [209.85.220.20])
	by pigeon.gentoo.org (Postfix) with ESMTP id BF4CFE0523
	for <gentoo-hardened@lists.gentoo.org>; Fri, 26 Dec 2008 19:17:16 +0000 (UTC)
Received: by fxm13 with SMTP id 13so800905fxm.10
        for <gentoo-hardened@lists.gentoo.org>; Fri, 26 Dec 2008 11:17:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=CVqT5QzjD6r9Q2Vem+qcEQ1WVdy4+tA4v1LwKBTuWnk=;
        b=ctsUWIE7smIZGZWyMboUeJFI5FmtolFnhRRwIJUxsUrYY3E9KW5f4JKD80dUSIPcsY
         apKlKDzs4PWaI3EFgJsVMkdDEb+gfgbHWOZzn1ZWe5LmCVTYnxBZ6WUU0QfIcWRLYmOE
         Ryem7d/rqCNbWDTfmdG3TT5CK6drntxsf5dZI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references;
        b=DDG0aYVpoR1KMW+3tuVikTsn+sNP3l+CqeP7esmHAwWdfD6fOzaLEQAvs0UdA8QEge
         BBdhl5s0dNd6LUNTR2LorDNpajZqTt7KRNHwKr0EmPt9jTDMdjMDCbm8yyv9tIiRUIlz
         vuV/MhFm9jI37gn8yS6/3A86EMupiChRRMZTE=
Received: by 10.103.93.18 with SMTP id v18mr3954907mul.43.1230319036116;
        Fri, 26 Dec 2008 11:17:16 -0800 (PST)
Received: by 10.103.214.9 with HTTP; Fri, 26 Dec 2008 11:17:16 -0800 (PST)
Message-ID: <897813410812261117t40f2fecdu8b42f530788f47ec@mail.gmail.com>
Date: Fri, 26 Dec 2008 20:17:16 +0100
From: "=?ISO-8859-1?Q?Javier_J._Mart=EDnez_Cabez=F3n?=" <tazok.id0@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Profile switch: hardened to non-hardened?
In-Reply-To: <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10812231323t7b5371eaj6a082f56f17b01e0@mail.gmail.com>
	 <49515B9F.4030006@moremagic.com>
	 <49bf44f10812240903r5de4963blb6c9c4e295adf7f7@mail.gmail.com>
	 <200812241621.13188.gengor@gentoo.org>
	 <49bf44f10812250712u35f87d71l750fd67f97204dad@mail.gmail.com>
	 <897813410812250830i2f910883n62b426dbe5a0329a@mail.gmail.com>
	 <49bf44f10812251752j6ab40c33jd31c15f5a849454c@mail.gmail.com>
X-Archives-Salt: 84740b43-5d39-49e6-861f-298323acec75
X-Archives-Hash: a3d2133fae36f14d5315c905ddc5e307

Without hardened userland only in access controls. You can implement
for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or
SELinux. They could try to stop crackers that gain unpriviledge access
to the host (with a remote exploit for example) to execute exploits to
scale priviledges. They could give you one least priviledge approach
(as PaX does) and other useful things, as isolation of daemons,
resources controls. And a lot of more. With TPE however, untrusted
scripts (exploits) could be launched without execution rights, and
even restricting the use of perl and python, you must grant your users
the access to bash.

2008/12/26 Grant <emailgrant@gmail.com>:
>> In terms of userland, non hardened profile doesn't protect you at all
>> against buffer overflows, you are removing one important security
>> layer. SSP protects you against buffer overflows in terms that the
>> vulnerable application gets killed when the canary is modified before
>> the execution of the arbitrary code. PIE protects you against return
>> into libc attacks that doesn't need an executable stack. PaX is not
>> perfect and needs them as complementary solutions. For example I think
>> that RANDEXEC was removed from PaX time ago, one buffer overflow that
>> uses return into libc attack could be succesfully against one
>> non-hardened binary. Since skype is a network oriented software...
>
> In what situations is a hardened kernel useful?
>
> - Grant
>
>
>>>> Hardened profiles: Yes there's a difference, no you should not switch to
>>>> hardened/linux/${ARCH} at this time.
>>>
>>> Is hardened/x86/2.6 still available for new installations?  My other
>>> systems are amd64 but none of them list hardened/amd64/2.6.
>>>
>>>> You can get skype working by downloading or building gcc 4.1.x and pointing
>>>> LD_LIBRARY_PATH at the shared object directory when starting skype.  skype
>>>> won't be using hardened toolchain but since its closed source and you're
>>>> willing to switch the whole machine to non-hardened I figure you probably
>>>> don't mind. ;)
>>>>
>>>> Example:
>>>> 1. Download
>>>> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2
>>>> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/
>>>> 3. Run it:
>>>> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/"
>>>> skype
>>>>
>>>> If you only require VoIP capability and not skype specifically you might be
>>>> interested net-im/ekiga.
>>>
>>> Thank you very much for that, but I'm trying to simplify.  You see,
>>> I'm only a fake sysadmin.  Does using a hardened kernel with a
>>> non-hardened profile still offer good protection?
>>>
>>> - Grant
>>>
>>>>> > I've been able to do so; basically I switched over to the standard
>>>>> > profile, disabled selinux in the kernel, and re-emerged system for new
>>>>> > use flags. There were some other details but overall the process was
>>>>> > pretty painless, anyone ambitious enough to configure a hardened system
>>>>> > can probably handle the switch without much problem. Not that I'm
>>>>> > encouraging you to drop hardened (especially on a laptop that could be
>>>>> > exposed to random wifi networks ;-)
>>>>>
>>>>> Is there any difference between 1 and 8 here?  Should I switch to 8?
>>>>>
>>>>> # eselect profile list
>>>>> Available profile symlink targets:
>>>>>   [1]   hardened/x86/2.6 *
>>>>>   [2]   selinux/2007.0/x86
>>>>>   [3]   selinux/2007.0/x86/hardened
>>>>>   [4]   default/linux/x86/2008.0
>>>>>   [5]   default/linux/x86/2008.0/desktop
>>>>>   [6]   default/linux/x86/2008.0/developer
>>>>>   [7]   default/linux/x86/2008.0/server
>>>>>   [8]   hardened/linux/x86
>>>>>
>>>>> - Grant
>>>>>
>>>>> >> Can I switch my laptop's profile from a hardened one to a non-hardened
>>>>> >> one?  I thought this was impossible without a complete reinstall but
>>>>> >> folks on the gentoo-user list seem to think it's not a problem.
>>>>> >>
>>>>> >> - Grant
>
>