From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GNUlR-0000Xw-HE for garchives@archives.gentoo.org; Wed, 13 Sep 2006 13:26:53 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8DDPj9E019193; Wed, 13 Sep 2006 13:25:45 GMT Received: from mach.qrypto.org (connectioncable-084.headoff.net [217.30.222.84] (may be forged)) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8DDKZNH009335 for ; Wed, 13 Sep 2006 13:20:36 GMT Received: (qmail 20283 invoked from network); 13 Sep 2006 12:24:33 -0000 Received: from unknown (HELO rumen.goto.bg) (gentoo@85.130.92.205) by connectioncable-084.headoff.net with ESMTPA; 13 Sep 2006 12:24:33 -0000 Date: Wed, 13 Sep 2006 16:20:09 +0300 From: Rumen Yotov To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Simplified apache2 Message-ID: <20060913162009.300c88aa@rumen.goto.bg> In-Reply-To: References: <558b73fb0609120808k799baf30j41560442b9c38d12@mail.gmail.com> <45074266.7050301@gmail.com> Organization: personal X-Mailer: Sylpheed-Claws 2.4.0 (GTK+ 2.8.19; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 459395f1-3f50-4137-8c6e-1b5c691d3c3c X-Archives-Hash: 2d662502bfb91df6d0eff0d3379a9115 Hi, On Wed, 13 Sep 2006 12:36:45 +0000 (UTC) James wrote: > Ryan Tandy gmail.com> writes: > > > > Michael Crute wrote: > > > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl > > > python readline" > You could omit "pic" here IIRC (on a hardened profile) "hardened" includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default). If using a vanilla (desktop & server) profile you'll need 'pie' as well. Maybe (if not using a hardened profile) you'll also need some LDFLAGS. > Ok, > So I'll test your suggestions. > The more minimized the global flags are, the more secure the server. > +1 Could also check the flags in "hardened" profile. > > Also, be careful using the hardened flag without running the > > hardened profile. The hardened profile masks out a couple of > > packages and flags that don't work so well on a hardened system. +1 > Hmmmm, > > Not sure I fully grasp what you mean by a 'hardened system'. If you > mean running a hardened kernel with only necessary software > installed, then yes, I run hardened kernels on most servers {dns, > web, mail, firwalls....} > > If running a hardened system means more than that, please explain, > or point me to some docs. Check hardened docs page on w.g.o, in short hardened means a kernel with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC or SELinux and all user-land build with SSP,pic,pie (IMHO). > > BTW, the flags with underscores in them (kernel_linux, > > userland_GNU, elibc_glibc, video_cards_radeon and such) are known > > as USE_EXPAND or expanded USE flags. > > This is nice to know. > I did not get the memo on this. > Any docs for further reading you can point me to? > ...SKIP... > James HTH.Rumen -- gentoo-user@gentoo.org mailing list