Re: [gentoo-hardened] Hardened laptop: am I nuts?

[John Eckhart]

I just verified that I am running hardened on a "multilib" system and the
multilib useflag is disabled (also of note, this machine serves about 10
vm's via vmware server, which is only 32-bit, so it definitely runs 32-bit
code):

> eix -I --installed-with-use multilib
No matches found.

> eix -I --installed-without-use multilib
[I] sys-devel/gcc
     Available versions:
        (2.95)  [P]*2.95.3-r9 [P]~*2.95.3-r10
        (3.1)   [P]*3.1.1-r2
        (3.2)   [P]**3.2.2 [P]*3.2.3-r4
        (3.3)   ~3.3.6-r1
        (3.4)   3.4.6-r2
        (4.0)   [M]~*4.0.3 [M]~*4.0.4
        (4.1)   [M]~4.1.0-r1 [M]4.1.1-r3 [M]4.1.2
        (4.2)   [M]~4.2.0 [M]~4.2.1 [M](~)4.2.2
        {altivec bootstrap boundschecking build d doc fortran gcj gtk
hardened ip28 ip32r10k java mudflap multilib multislot n32 n64 nls nocxx
nopie nossp objc objc++ objc-gc openmp static test vanilla}
     Installed versions:  3.4.6-r2(3.4)(15:26:26 11/06/07)(d fortran gcj gtk
hardened nls -altivec -bootstrap -boundschecking -build -doc -ip28 -ip32r10k
-multilib -multislot -n32 -n64 -nocxx -nopie -nossp -objc -test -vanilla)
     Homepage:            http://gcc.gnu.org/
     Description:         The GNU Compiler Collection. Includes C/C++, java
compilers, pie+ssp extensions, Haj Ten Brugge runtime bounds checking

[I] sys-libs/glibc
     Available versions:  (2.2)  [P]*2.2.5-r10 [P]2.3.2-r12 2.3.5-r3
2.3.6-r4 2.3.6-r5 [M]2.4-r4 2.5-r2 2.5-r3 2.5-r4 **2.5.1 ~2.6 2.6.1 ~2.7
        {build debug erandom gd glibc-compat20 glibc-omitfp hardened
linuxthreads-tls multilib nls nptl nptlonly pic profile selinux userlocales
vanilla}
     Installed versions:  2.6.1(2.2)(16:12:14 11/19/07)(hardened nls selinux
-debug -gd -glibc-omitfp -multilib -profile -vanilla)
     Homepage:            http://www.gnu.org/software/libc/libc.html
     Description:         GNU libc6 (also called glibc2) C library

Found 2 matches.

> emerge --info
Portage 2.1.3.19 (selinux/2007.0/amd64/hardened, gcc-3.4.6, glibc-2.6.1-r0,
2.6.23-pmp-r1 x86_64)
=================================================================
System uname: 2.6.23-pmp-r1 x86_64 Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz
Timestamp of tree: Wed, 05 Dec 2007 07:00:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks loadpolicy metadata-transfer
parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans
userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo";
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --delete-after --stats
--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/vmware
/usr/portage/local/my_overlay"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X X509 acpi alsa amd64 avahi bash-completion berkdb bitmap-fonts
branding bzip2 cairo cdr cli cracklib crypt cups d dbus dri dvdr expat fam
firefox fortran gcj gdbm glitz gnome gpm gstreamer gtk gtkhtml hal hardened
hpn iconv ipv6 isdnlog java javascript jpeg keyring libnotify logrotate midi
mmx mng mozilla mudflap ncurses nfs nls nptl nptlonly nsplugin opengl openmp
pam pcre perl pic png pppd python readline reflection samba seamonkey
selinux session spl sqlite sqlite3 sse sse2 ssl tcpd tiff truetype
truetype-fonts type1-fonts unicode usb xcb xforms xml xorg xpm xprint
xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x
ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel
intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate
route share shm softvol" APACHE2_MODULES="actions alias auth_basic
authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex
cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter
file_cache filter headers include info log_config logio mem_cache mime
mime_magic negotiation rewrite setenvif speling status unique_id userdir
usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa
vga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS


On Dec 5, 2007 1:05 PM, John Eckhart <[EMAIL PROTECTED]> wrote:

> I'm not convinced it's a problem with multilib. The multilib use flag is
> deprecated and hard masked in most profiles (in fact, it takes a fair bit of
> juggling and profile mangling to get it back on). I would hesitate to say
> that it's multilib at all. I have an AMD64 system at work which is running
> hardened sources with pax, I will have to see what profile it's using and if
> it has the "multilib" flag at all.
>
> It may not be hardened at all. I get ENOENT problems with filesystem
> corruptions, so I would recommend that you reboot with the livecd and fsck
> the partitions as well (it would at least be faster than a re-install).
>
>
> On Dec 5, 2007 12:32 PM, Grant <[EMAIL PROTECTED]> wrote:
>
> > > > > > No!  Is that the problem?  USE=multilib has no effect because
> > they are
> > > > > > all (-multilib).  Should I switch my profile from:
> > > > > >
> > > > > > /usr/portage/profiles/hardened/amd64
> > > > > >
> > > > > > to:
> > > > > >
> > > > > > /usr/portage/profiles/hardened/amd64/multilib
> > > > > >
> > > > > > ?
> > > > >
> > > > > khm, obviously if you want 32 bit apps on a 64 bit system you need
> >
> > > > > multilib... i wonder how you could even emerge the emul-* packages
> > > > > in that profile, it should not be allowed.
> > > >
> > > > Nice, at least this is solved (by you).  Is switching profiles
> > > > problematic or should I just switch the link and emerge world?
> > >
> > >
> > > Complete reinstall.
> >
> > Any other option whatsoever to get on multilib?
> >
> > - Grant
> > --
> > [EMAIL PROTECTED] mailing list
> >
> >
>