From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GNZOH-00010N-Fq for garchives@archives.gentoo.org; Wed, 13 Sep 2006 18:23:17 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8DILhFk016861; Wed, 13 Sep 2006 18:21:43 GMT Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.200.81]) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8DIHLLP026366 for ; Wed, 13 Sep 2006 18:17:21 GMT Received: from [161.44.182.222] (dhcp-161-44-182-222.cisco.com[161.44.182.222]) by comcast.net (sccrmhc11) with ESMTP id <2006091318172001100t72oee>; Wed, 13 Sep 2006 18:17:20 +0000 Message-ID: <45084B2F.40908@comcast.net> Date: Wed, 13 Sep 2006 14:17:19 -0400 From: Brian Davis User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Simplified apache2 References: <558b73fb0609120808k799baf30j41560442b9c38d12@mail.gmail.com> In-Reply-To: <558b73fb0609120808k799baf30j41560442b9c38d12@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 7cff6752-e7fe-4052-b2b9-154febcba80d X-Archives-Hash: d8ca322bdf80b1f41efe13ef8addcdd2 Can one covert a non-hardended machine to use the hardended-profile, or do you have to start from scratch? Michael Crute wrote: > On 9/12/06, James wrote: >> >> I used 2006.1 livecd to install a pII machine. It's going >> to become a (minimalistic) apache2 server. I just let the >> installation >> set the flags for the install so I have these flags currently: > > > > Those look a bit excessive for a "minimalist" machine. I would start > over ;-) > >> Some of these flag look questionable, such as the one with >> underscores (kernel_linux userland_GNU) as I only found >> information on them, where they are describe as 'undocumented >> use flags'. What's up with these flags? > > My understanding is that these are set in the profile and simply tell > portage that you are using Linux. I don't think there is any way > (short of profile hacking) to change them. So don't worry about it. > >> Where do I look to discern the minimal list of (necessary) system >> flags that >> must be kept? (I want to avoid negating any flags that are critical). >> >> >> These are my proposed list of flags: > > > > Still a little excessive in my opinion. The approach that I would (do) > take is to put only the bare minimum use flags in make.conf and > override the rest on a per-package level in /etc/portage/package.use. > >> So can I just use this list, or do I have to include a -{flag} for >> each one? >> >> IS there simpler syntax to globally remove unwanted flags [-*], but, >> not any >> critical system flags? (Is this the same as just leaving the flag out >> of the USE param. setting in make.conf? >> > > -* will work but be careful it can break things if you don't know what > your doing. > >> Are there default system flag settings that I can safely remove? >> Where is the list and how do I know which ones can be removed or >> negated? >> >> My (limited) understanding of flags are that the highest priority are >> those set in /etc/portage/package.use, then /etc/make.conf then >> the system default flags which may be located in several locations. >> Is there any docs or listing of all of these location and details >> on precedence? > > http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=2 > > OK, my advice to you would be to start over with a hardened profile. > While hardened is not specifically required I highly recommend it if > this is just going to be a headless server machine. > > You probably want to set your machine up with a similar USE= string in > make.conf > > USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python > readline" > > I believe that is the bare minimum if you use -*. Now you can compile > your system and you have a blank slate to start working with. As you > start emerging packages just make sure you use the -pv flags for > emerge and check out the available use flags and add the ones you want > to /etc/portage/package.use. Here is an example of my package.use line > for apache2 > > net-www/apache mpm-prefork threads > > This setup works smashingly for me on my production servers by YMMV. > Best of luck. > > -Mike > -- gentoo-user@gentoo.org mailing list