On Sun, 2009-04-19 at 20:59 -0400, basile wrote: > Mansour Moufid wrote: > > On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <to...@gentoo.org> wrote: > > > >> basile schrieb: > >> > >>> Hi, a have a couple of question is for Gordon and Nedd regarding > >>> rebuilding an entire desktop system with emerge -e world, both amd64 and > >>> i686. I'm mostly worried about the security implications of the > >>> choices I'm making and I'm not 100% sure of my understanding. > >>> > >>> 1) Regarding choice of compiler. gcc-config -l gives > >>> > >>> [1] x86_64-pc-linux-gnu-3.4.6 > >>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie > >>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp > >>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp > >>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla > >>> [6] x86_64-pc-linux-gnu-4.1.2 > >>> > >>> My understanding is that [1] is fully hardened and that [2]-[5] are > >>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and > >>> fully vanilla. My confusion is about 4.1.2. What hardening is present > >>> in it? (Did some hardening which wasn't present in gcc-3 make it to > >>> gcc-4 vanilla?) What's the best practice here? > >>> > >> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should be > >> masked as that version does > >> not have any builtin hardened features, so is only a normal, none-hardened > >> gcc-4.1.2 > >> > > > > This can happen when using a non-hardened stage3 tarball during the > > install, then switching to the hardened profile later. > > > > I've noticed it's not immediately clear where to get hardened stages > > in the documentation. For those wondering, the mirror URL can be found > > in the topic on #gentoo-hardened, i.e.: > > http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/ > > > > > > I followed a variation of the upgrade process discussed here: > > http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml > > The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1 > > I understand that its a VERY EARLY draft, but it proceeded without any > problems on both i686 and amd64. I'm pretty sure I didn't loose PIE, > but I'm not so sure about SSP. I'm playing around now with > -fstack-protector-all in my CFLAGS. > > > >>> 2) Regarding the choice of profiles on amd64. I have > >>> > >>> [6] hardened/amd64 > >>> [7] hardened/amd64/multilib * > >>> [10] hardened/linux/amd64 > >>> > >>> I'm using the multilib and I'm wondering what the security implications > >>> of this decision. Also, should I be thinking about the newer [10] on > >>> amd64? What about the similar choice on i686? > >>> > >>> Thanks guys. > >>> > >>> > >> What security implications should be there? > >> The newer [10] is still experimental and may change without warning. Use > >> either [6] or [7] for now. > >> > >> -- > >> Thomas Sachau > >> > >> Gentoo Linux Developer > >> > >> > I remember reading about lots of security bugs with emulating > libraries. I just googled for it to remind myself. So I'm wondering > whether profile 6 is better than 7.
Either is fine. [6] might be better for a server where space is a concern. better for extreme paranoia. [7] is the only real choice if you plan to use X at all. If you were on #10 then it's best to switch to #7 also. # to update the installed gcc:4.x also. ACCEPT_KEYWORDS="*~" emerge -pvq gcc
