From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GNulq-00039W-F2 for garchives@archives.gentoo.org; Thu, 14 Sep 2006 17:13:02 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.6) with SMTP id k8EHCGeR013530; Thu, 14 Sep 2006 17:12:16 GMT Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [204.127.192.82]) by robin.gentoo.org (8.13.8/8.13.6) with ESMTP id k8EH5FO7002209 for ; Thu, 14 Sep 2006 17:05:15 GMT Received: from [161.44.182.222] (dhcp-161-44-182-222.cisco.com[161.44.182.222]) by comcast.net (rwcrmhc12) with ESMTP id <20060914170513m1200t3637e>; Thu, 14 Sep 2006 17:05:14 +0000 Message-ID: <45098BC8.8080201@comcast.net> Date: Thu, 14 Sep 2006 13:05:12 -0400 From: Brian Davis User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Simplified apache2 References: <558b73fb0609120808k799baf30j41560442b9c38d12@mail.gmail.com> <45074266.7050301@gmail.com> <20060913162009.300c88aa@rumen.goto.bg> In-Reply-To: <20060913162009.300c88aa@rumen.goto.bg> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 064e9916-115b-43c8-9d95-2a74f26261cd X-Archives-Hash: 9685baaa3b01058067eebe13557606f5 Rumen Yotov wrote: > Hi, > On Wed, 13 Sep 2006 12:36:45 +0000 (UTC) > James wrote: > >> Ryan Tandy gmail.com> writes: >> >> >> >>> Michael Crute wrote: >>> >>>> USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl >>>> python readline" >>>> > You could omit "pic" here IIRC (on a hardened profile) "hardened" > includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default). > If using a vanilla (desktop & server) profile you'll need 'pie' as well. > Maybe (if not using a hardened profile) you'll also need some LDFLAGS. > I have a question on this, why would a package have to use a pic USE flag if all that was needed was to complie with -fpic? >> Ok, >> So I'll test your suggestions. >> The more minimized the global flags are, the more secure the server. >> >> > +1 > Could also check the flags in "hardened" profile. > >>> Also, be careful using the hardened flag without running the >>> hardened profile. The hardened profile masks out a couple of >>> packages and flags that don't work so well on a hardened system. >>> > +1 > >> Hmmmm, >> >> Not sure I fully grasp what you mean by a 'hardened system'. If you >> mean running a hardened kernel with only necessary software >> installed, then yes, I run hardened kernels on most servers {dns, >> web, mail, firwalls....} >> >> If running a hardened system means more than that, please explain, >> or point me to some docs. >> > Check hardened docs page on w.g.o, in short hardened means a kernel > with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC > or SELinux and all user-land build with SSP,pic,pie (IMHO). > >>> BTW, the flags with underscores in them (kernel_linux, >>> userland_GNU, elibc_glibc, video_cards_radeon and such) are known >>> as USE_EXPAND or expanded USE flags. >>> >> This is nice to know. >> I did not get the memo on this. >> Any docs for further reading you can point me to? >> >> > ...SKIP... > >> James >> > HTH.Rumen > -- gentoo-user@gentoo.org mailing list