Re: [gentoo-user] Re: Simplified apache2

Thu, 14 Sep 2006 14:56:33 -0700 

I think I've answered my own question:
On my system, gzip is the only package that contains the pic USE flag. Looking at the ebuild, the pic USE flag is used to tell the system not to use the assembler code optimizations. 

Presumably, assembler code can't be relocated.

Thanks,
Brian

Brian Davis wrote:



Rumen Yotov wrote:

Hi,
On Wed, 13 Sep 2006 12:36:45 +0000 (UTC)
James <[EMAIL PROTECTED]> wrote:

 

Ryan Tandy <tarpman <at> gmail.com> writes:



   

Michael Crute wrote:

     

USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl
python readline"

        

You could omit "pic" here IIRC (on a hardened profile) "hardened"
includes -fpic -fpie CFLAGS, plus SSP in GCC-4.1.1 (a default).
If using a vanilla (desktop & server) profile you'll need 'pie' as well.
Maybe (if not using a hardened profile) you'll also need some LDFLAGS.

  

I have a question on this, why would a package have to use a pic USE 
flag if all that was needed was to complie with -fpic?



Ok,

So I'll test your suggestions. The more minimized the global flags 
are, the more secure the server.



    

+1
Could also check the flags in "hardened" profile.

 

Also, be careful using the hardened flag without running the
hardened profile.  The hardened profile masks out a couple of
packages and flags that don't work so well on a hardened system.

      

+1

 

Hmmmm,

Not sure I fully grasp what you mean by a 'hardened system'. If you
mean running a hardened kernel with only necessary software
installed, then yes, I run hardened kernels on most servers {dns,
web, mail, firwalls....}

If running a hardened system means more than that, please explain,
or point me to some docs.

    

Check hardened docs page on w.g.o, in short hardened means a kernel
with PaX (+ -fpie for packages) some sort of RBAC system - grsec, RSBAC
or SELinux and all user-land build with SSP,pic,pie (IMHO).

 

BTW, the flags with underscores in them (kernel_linux,
userland_GNU, elibc_glibc, video_cards_radeon and such) are known

as USE_EXPAND or expanded USE flags.        

This is nice to know. I did not get the memo on this.
Any docs for further reading you can point me to?


    

...SKIP...

 

James

    

HTH.Rumen

  



--
[email protected] mailing list















    











					Reply via email to