From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0387A1381F3 for ; Tue, 30 Jul 2013 12:54:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4BCFCE0B17; Tue, 30 Jul 2013 12:54:11 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3E87BE0B02 for ; Tue, 30 Jul 2013 12:54:09 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 7DADD20841 for ; Tue, 30 Jul 2013 08:54:09 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute2.internal (MEProxy); Tue, 30 Jul 2013 08:54:09 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.co.uk; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s=mesmtp; bh=t0QF4MmuX7ts0DcSWXybwCmalek=; b=qcl4I3mDhHAOu5xV/hzgJc8eP4dn /ZZE3RBxxICD9bdlYhEJpVq/Bgrjbxaze9BrSU27VrBIcvrQlywCo3s+5kFbU0rE 37aD6dIjJQWUfyBGPiW3NFobBOLxc5D1hLYehQrr7d7NVC19JrRqbPhNfS0IOhF/ k0jhk20b99O11s0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=t0QF4MmuX7ts0DcSWXybwC malek=; b=RK18+4pZ7wi3ZVgvJzfuAdsak5PERqyQfTlybF6oeYyWf7kuUtQDsn mmQ2f0V0xbo/tTkyXcPkjqfmRwqPOryQsKf5YJ/yzdpK2fWbNY0ctgs2QSfJgrQn KLfmzDF+3ynqe07CN/ob8GUDz9m5X48nP8PWyIeMT7lJEUGUvNhaY= X-Sasl-enc: ofd+F9REdAyH5JFyXUfc5eagIRbL1pjezIuRmvT8Yjin 1375188849 Received: from [192.168.1.100] (unknown [94.170.82.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 2D29E68017F for ; Tue, 30 Jul 2013 08:54:09 -0400 (EDT) Message-ID: <51F7B76B.90504@fastmail.co.uk> Date: Tue, 30 Jul 2013 13:54:03 +0100 From: Kerin Millar User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] which VM do you recommend? References: <1375166739.14240.0@numa-i.igpm.rwth-aachen.de> <51F79749.6030201@libertytrek.org> In-Reply-To: <51F79749.6030201@libertytrek.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Archives-Salt: def8b4b5-3f82-4369-90dd-5bac2683aeaf X-Archives-Hash: 7cff59533b11e4233011209e0ac377e2 On 30/07/2013 11:36, Tanstaafl wrote: > On 2013-07-30 4:11 AM, Randolph Maaßen wrote: >> It needs a couple of kernel modules to work, but emerge will promt to >> you what it needs. > > Side question... > > I want to run the vmware tools on my gentoo VM (so the host can safely > power it down), but it also requires modules. > > For security reasons I have never enabled modules on my servers, but... It doesn't enhance security unless additional measures are taken (see below). > > Is there a way to do this securely, so that *only* the necessary modules > could ever be loaded? You can use gsecurity (which is in hardened-sources). With CONFIG_GRKERNSEC_MODSTOP enabled, you will be able to run: # echo 1 > /proc/sys/kernel/grsecurity/disable_modules After that, no further modules can be loaded. However, you would also need to disable privileged I/O and the ability to write to /dev/kmem, both of which grsecurity also facilitates. --Kerin