From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q0HF4-0002ls-0j for garchives@archives.gentoo.org; Thu, 17 Mar 2011 17:44:10 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BBB911C021; Thu, 17 Mar 2011 17:42:48 +0000 (UTC) Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5F5271C021 for ; Thu, 17 Mar 2011 17:42:48 +0000 (UTC) Received: by fxm11 with SMTP id 11so3961000fxm.40 for ; Thu, 17 Mar 2011 10:42:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:x-enigmail-version:content-type; bh=9Pdh895uhVwrizhmUZ9cdcPgevou7JhvL9KdCeq6BLA=; b=iZmT8J7SEjObeL1IVJtWsPG0NBvF3RVBgyRf8QMSX5SpZqaZ0F9WTNrCP0XlKRd6mL 5xZD7tqeBq+l4F7eI0102wWgJEjJkdNHMWrv1UITFiEUK0PM9PSbXspaP0ads3Qu38wz xqsGlZS5KEo8CaqrtqgcHOeyaT1OVx7oJbBkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; b=qMBhR8yJo95rFGCVHFPAdK/6um8SApuYNEE21VvQFFVT3UOaZnd6TLJoKv+jfLpsk+ Kv+UUE40mgTDd3gF6oQ63Wn2QieosYpd0iq2JJ7qhAeh0RdZIhh+q4NxBRX6qkOMx8qf 7OdHfI4oNtTB6Xn20ioZBiuWKPSWop92kkLQs= Received: by 10.223.55.201 with SMTP id v9mr37122fag.76.1300383702431; Thu, 17 Mar 2011 10:41:42 -0700 (PDT) Received: from [129.16.73.83] (dhcp-073083.eduroam.chalmers.se [129.16.73.83]) by mx.google.com with ESMTPS id j12sm1038702fax.33.2011.03.17.10.41.41 (version=SSLv3 cipher=OTHER); Thu, 17 Mar 2011 10:41:41 -0700 (PDT) Message-ID: <4D824841.6030707@gmail.com> Date: Thu, 17 Mar 2011 18:43:29 +0100 From: klondike User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110314 Lightning/1.0b3pre Thunderbird/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Switching to a hardened profile and back again References: <4D821A6B.5010100@gmail.com> <20110317144447.099b9fb2@digimed.co.uk> <201103171722.57345.francesco.talamona@know.eu> In-Reply-To: <201103171722.57345.francesco.talamona@know.eu> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3BB520A2AD684C776DC7ACBE" X-Archives-Salt: X-Archives-Hash: df09690fcc5d02d410d223a36ccf98d2 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3BB520A2AD684C776DC7ACBE Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Going to try to settle and clarify things once and for all. You can switch back to non hardened if needed, make sure you have your old non hardened kernel as an option on your bootloader just in case as that will disable most hardening features (including PIE), so your system will only have SSP as source of possible troubles. The steps on the FAQ have been agreeded by the whole hardened team on meetings, and there are reasons for them: You need to emerge gcc and glibc on the first stage to make sure they include any hardening needed since they are patched (at least gcc is and glibc includes the SSP code). You need to emerge then system for two reasons, first because if something fails going back will be easier, then because some of the system libraries and tools have hardening patches. Finally you need to emerge the whole world to make sure all the packages (even system ones) are built and linked with hardened features and libraries. In a similar way you can repeat the above steps again after going back to your preferred non hardened profile. Also remind that any changes from hardened to non hardened and viceversa must be made on a non hardened kernel. Tip: generate binary packages for world before jumping to hardened as that will make recovery easier in case the change fails and will speed up going back a lot. BTW: for those of you who haven't noticed we added the --keep-going flag to the system and world emerges so the system keeps trying to build if any of the packages fails, in that case filling a bug would be a good ide= a. Not more to say, if you need to run in softmode just follow the FAQ but then PaX will be mostly disabled so it is an almost not hardened kernel meanwhile. --------------enig3BB520A2AD684C776DC7ACBE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2CSEEACgkQcfrM1mX4BmDHkwCgk2Ri2f5/ltb+bUUNNxmR4HFJ wMEAnRuiV9XKKTxO6QwT6mXxcT9/NR3Q =n7jG -----END PGP SIGNATURE----- --------------enig3BB520A2AD684C776DC7ACBE--