Rumen Yotov wrote:
Hi,
On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
James <[EMAIL PROTECTED]> wrote:
Ryan Tandy <tarpman <at> gmail.com> writes:
Michael Crute wrote:
USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
python readline"
You could omit "pic" here IIRC (on a hardened profile) "hardened"
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop & server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.
I have a question on this, why would a package have to use a pic USE
flag if all that was needed was to complie with -fpic?
Ok,
So I'll test your suggestions.
The more minimized the global flags are, the more secure the server.
+1
Could also check the flags in "hardened" profile.
Also, be careful using the hardened flag without running the
hardened profile. The hardened profile masks out a couple of
packages and flags that don't work so well on a hardened system.
+1
Hmmmm,
Not sure I fully grasp what you mean by a 'hardened system'. If you
mean running a hardened kernel with only necessary software
installed, then yes, I run hardened kernels on most servers {dns,
web, mail, firwalls....}
If running a hardened system means more than that, please explain,
or point me to some docs.
Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).
BTW, the flags with underscores in them (kernel_linux,
userland_GNU, elibc_glibc, video_cards_radeon and such) are known
as USE_EXPAND or expanded USE flags.
This is nice to know.
I did not get the memo on this.
Any docs for further reading you can point me to?
...SKIP...
James
HTH.Rumen
--
[email protected] mailing list
