In terms of userland, non hardened profile doesn't protect you at all against buffer overflows, you are removing one important security layer. SSP protects you against buffer overflows in terms that the vulnerable application gets killed when the canary is modified before the execution of the arbitrary code. PIE protects you against return into libc attacks that doesn't need an executable stack. PaX is not perfect and needs them as complementary solutions. For example I think that RANDEXEC was removed from PaX time ago, one buffer overflow that uses return into libc attack could be succesfully against one non-hardened binary. Since skype is a network oriented software...
2008/12/25 Grant <[email protected]>: >> Hardened profiles: Yes there's a difference, no you should not switch to >> hardened/linux/${ARCH} at this time. > > Is hardened/x86/2.6 still available for new installations? My other > systems are amd64 but none of them list hardened/amd64/2.6. > >> You can get skype working by downloading or building gcc 4.1.x and pointing >> LD_LIBRARY_PATH at the shared object directory when starting skype. skype >> won't be using hardened toolchain but since its closed source and you're >> willing to switch the whole machine to non-hardened I figure you probably >> don't mind. ;) >> >> Example: >> 1. Download >> http://tinderbox.dev.gentoo.org/default-linux/x86/sys-devel/gcc-4.1.2.tbz2 >> 2. unpack the archive to ${HOME}/tinderbox-pkgs/sys-devel/gcc/ >> 3. Run it: >> LD_LIBRARY_PATH="${HOME}/tinderbox-pkgs/sys-devel/gcc/usr/lib/gcc/i686-pc-linux-gnu/4.1.2/" >> skype >> >> If you only require VoIP capability and not skype specifically you might be >> interested net-im/ekiga. > > Thank you very much for that, but I'm trying to simplify. You see, > I'm only a fake sysadmin. Does using a hardened kernel with a > non-hardened profile still offer good protection? > > - Grant > >>> > I've been able to do so; basically I switched over to the standard >>> > profile, disabled selinux in the kernel, and re-emerged system for new >>> > use flags. There were some other details but overall the process was >>> > pretty painless, anyone ambitious enough to configure a hardened system >>> > can probably handle the switch without much problem. Not that I'm >>> > encouraging you to drop hardened (especially on a laptop that could be >>> > exposed to random wifi networks ;-) >>> >>> Is there any difference between 1 and 8 here? Should I switch to 8? >>> >>> # eselect profile list >>> Available profile symlink targets: >>> [1] hardened/x86/2.6 * >>> [2] selinux/2007.0/x86 >>> [3] selinux/2007.0/x86/hardened >>> [4] default/linux/x86/2008.0 >>> [5] default/linux/x86/2008.0/desktop >>> [6] default/linux/x86/2008.0/developer >>> [7] default/linux/x86/2008.0/server >>> [8] hardened/linux/x86 >>> >>> - Grant >>> >>> >> Can I switch my laptop's profile from a hardened one to a non-hardened >>> >> one? I thought this was impossible without a complete reinstall but >>> >> folks on the gentoo-user list seem to think it's not a problem. >>> >> >>> >> - Grant > >
