Awesome information, Alex!
Alex Efros wrote:
Hi!
On Thu, Oct 05, 2006 at 05:49:40PM +0200, Darknight wrote:
I should have mentioned this important bit: I'm still with old glibc and gcc
so I can switch, I need to understand if it's a bad gamble or completely
safe.
I think it's safe. I've converted all my servers to hardened some time ago
without any problems. Here is versions I've now:
sys-devel/binutils-2.16.1-r3
sys-devel/gcc-3.4.6-r1
sys-kernel/hardened-sources-2.6.16-r11
sys-kernel/linux-headers-2.6.11-r5
sys-libs/glibc-2.3.6-r4
If you've newer versions - this may be a problem.
If you've older versions - it may be good idea to upgrade to these
versions first (with upgrading/recompiling all other packages), and after
you'll be sure everything is working you can convert to hardened
(i.e. recompiling everything once again to get SAME versions of all packages
but with hardened now).
Here is list of commands I've used to convert my servers to hardened:
emerge hardened-sources
# Now configure this kernel (without hardened features yet),
# then compile/boot this kernel.
ln -snf ../usr/portage/profiles/hardened/x86/2.6/ /etc/make.profile
# Remove all extra optimization from CFLAGS in /etc/make.conf and
# set -O2.
# Clean up your $PKGDIR (usually /usr/portage/packages/) to optimize
# compile time using emerge -b and emerge -k later.
emerge -C linux-headers
emerge linux-headers glibc binutils gcc-config gcc
# Here do all operations needed for upgrading gcc, if needed.
emerge -b glibc binutils gcc portage
emerge -bke system
emerge -ke world
glsa-check -l | grep '\[N\]'
# Manually upgrade packages shown by glsa-check, if needed.
emerge -a --depclean
emerge -uDNa world
emerge paxtest paxctl gradm
revdep-rebuild
dispatch-conf
# Now reconfigure kernel with switched on hardened features,
# then compile/boot this kernel.
--
[email protected] mailing list
