Hi!
Am I right what only way to have TV-out working on my Radeon 9800 Pro is:
gcc-config 5 && source /etc/profile # switch to vanilla gcc
cd /usr/src/linux && make && ...# recompile 2.6.11-hardened-r13
# with vanilla gcc
Hi!
On Fri, Jun 03, 2005 at 12:37:09PM +0100, [EMAIL PROTECTED] wrote:
> why don't you describe the failure in more details instead? without
> having any specific info it's kinda hard to tell why a hardened xorg
> and tv-out fail.
Because I think this issue is well-know. Here is a quote from
http
Hi!
On Fri, Feb 24, 2006 at 11:37:08AM +0100, Daniel Struck wrote:
> "*Kernel-Guard:* It is a sort of rootkit, that prevent anyone include
> the root from loading or unloading modules"
>
> Is it wise to run this "kernel-guard"
> (http://www.informatik.uni-freiburg.de/~alsbiha/code.htm)?
>
>
Hi!
On Sat, May 06, 2006 at 09:35:59PM +0200, Jan V wrote:
>The gentoo-hardened mailing list is not able to support users. Here
>mostly physicians and math-specialists are posting, known as devs. We
>need a mailing list, where people without your capabilities but that
>still want t
Hi!
On Sun, May 07, 2006 at 12:28:40AM -0400, Kevin wrote:
> If I wanted all four of the Xen/SELinux/PaX/GRSecurity patch sets
> incorporated into a kernel, any recommendations for doing this?
AFAIK hardened-sources already contain SELinux+PaX+GRSecurity.
--
WBR, Alex.
-
Hi!
On Mon, May 08, 2006 at 07:26:54PM -0400, Ned Ludd wrote:
> > * How do I make a policy?
> > * Are there reference policies? In that case, where can I get them?
> > * How do I check a policy for correctness?
> > * Where can I find more documentation (I found more documentation on
> > the kernel
Hi!
On Sat, May 13, 2006 at 10:41:11PM +0200, Peter S. Mazinger wrote:
> I have some "predefined policies" but I haven't ever tested them in a
> pure gentoo environment (I do not use gentoo in "production environment"),
> if you want them as startup and will provide the gentoo counterparts, I
>
Hi!
As [EMAIL PROTECTED] says, discussion about this bug probably should be
moved into hardened maillist:
Clear-Text: http://bugs.gentoo.org/show_bug.cgi?id=134620
Secure: https://bugs.gentoo.org/show_bug.cgi?id=134620
>>>
I think quick dirty fix can be as simple as:
---/etc/portage/bashrc:---
Hi!
On Sun, Jun 18, 2006 at 12:01:36AM +0200, [EMAIL PROTECTED] wrote:
> imho, this is the only proper solution, any external management is
> misplaced for a simple reason: PaX flags are not a matter of policy
> (not up to an arbitrary human decision), they simply reflect what
> the given applicat
Hi!
On Fri, Jun 30, 2006 at 01:08:10PM +0200, [EMAIL PROTECTED] wrote:
> > Heads up to nvidia users... If you use nvidia-glx and a hardened profile
> > it's going to be package.masked
> does it have to be that drastic? how about CONFIG_CHECK="~PAX_NOELFRELOCS"
> in the ebuilds?
I think users shou
Hi!
AFAIK it's bad idea to have linux-headers version greater than *-sources.
Latest stable/x86 version of sys-kernel/hardened-sources is 2.6.16-r11.
Latest stable/x86 version of sys-kernel/linux-headersis 2.6.17-r1.
Maybe it's good idea to mask it in hardened profile until hardened-sources
2.
Hi!
On Thu, Oct 05, 2006 at 05:49:40PM +0200, Darknight wrote:
> I should have mentioned this important bit: I'm still with old glibc and gcc
> so I can switch, I need to understand if it's a bad gamble or completely
> safe.
I think it's safe. I've converted all my servers to hardened some time
Hi!
On Thu, Oct 05, 2006 at 06:07:54PM +0200, Darknight wrote:
> I've "dropped" hardened source due to lack of time to learn and properly
> activate their features... It's on todo list... :)
Check archives of this maillist. I've posted here my configuration for
kernel's hardened features some ti
Hi!
What's about subj in hardened-sources? Is it possible to add newer
hardened kernel into portage (looks like 2.6.19-rc has support for subj
and probably 2.6.18.1 too) _OR_ backport patches into current
hardened-sources? I'd prefer to install ~x86 hardened-sources than just
stop using hardened-s
Hi!
I've just upgraded from Barton 3000 to Core 2 Duo 6600.
AFAIK this mean I should switch from
[*] Segmentation based non-executable pages
to
[ ] Paging based non-executable pages
Is this correct? (I've enabled 'NX bit' feature in BIOS.)
Is any other changes required (I've set 'Proc
Hi!
I've just tested 3 configurations (test was: `make clean; time make bzImage`).
First test:
> [ ] Paging based non-executable pages
> [*] Segmentation based non-executable pages
Second test:
> [*] Paging based non-executable pages
> [ ] Segmentation based non-executable pages
Third tes
Hi!
On Tue, Jan 09, 2007 at 10:56:02AM -0500, Kwon wrote:
> Just did the following to upgrade a system that was built about 6-9 months
> ago:
>
> emerge --sync && emerge os-headers glibc binutils gcc && emerge os-headers
> glibc binutils gcc && emerge -e system && emerge -e system && emerge -uD
Hi!
On Tue, Jan 09, 2007 at 09:22:29PM -0500, Kwon wrote:
> ># Recommended: cleanup your "packages" directory (usually
> ># /usr/portage/packages/) before continue to avoid installing wrong
> ># packages using -k by accident.
> By "cleanup", do you mean to "delete" what I don't need?
Hi!
On Wed, Feb 14, 2007 at 05:09:22PM +0100, "Tino M?ller" wrote:
> I have trouble setting up Hardened Gentoo. I've tried several ways, read a
> dozen posts in forums and the fine documentation, but to no avail.
>
> I did the following (step by step, short form):
Please check your profile:
#
Hi!
Is anybody know when hardened-sources 2.6.19 or 2.6.20 will be unmasked?
--
WBR, Alex.
--
gentoo-hardened@gentoo.org mailing list
Hi!
On Sun, Jun 17, 2007 at 04:39:59PM +0200, Adam Lantos wrote:
> a full recompile might be a good idea, but
>
> mysql,openldap & glibc-2.4 nptlonly worked well
> mysql,openldap & glibc-2.5 -nptl works well now
> mysql,openldap & glibc-2.5 nptlonly won't work
I don't use LDAP, but I'm using My
Hi!
AFAIK it's not a good idea to have linux-headers newer than kernel.
Maybe it has sense to mask linux-headers newer than current kernel in
hardened profile?
--
WBR, Alex.
--
[EMAIL PROTECTED] mailing list
Hi!
On Mon, Nov 26, 2007 at 05:52:33PM +0500, Алексей Лесовский wrote:
> (38)Function not implemented: mod_rewrite: could not create
> rewrite_log_lock
> [emerg] (38)Function not implemented: Couldn't create accept lock
I think this issue doesn't related to hardened. We can discuss it in
gentoo-
Hi!
On Tue, Nov 27, 2007 at 09:15:43AM +0500, Алексей Лесовский wrote:
> I haven't this problem on normal (not hardened) gentoo
Probably your non-hardened and hardened systems has another differences too.
--
WBR, Alex.
--
[EMAIL PROTECTED] mailing list
Hi!
I've noticed two issues with flashplayer plugin:
1) if there more than one flash applet on page - only one will work, other
will show gray box; same is true if two websites open in different Opera
tabs, both contain flash applet, and only one of them will work
(maybe this issue relate
Hi!
On Thu, Nov 29, 2007 at 11:26:00PM +0200, [EMAIL PROTECTED] wrote:
> 1. your exact kernel version + .config
2.6.20-hardened-r10, .config attached
> 2. all PaX logs (if grsec removed address info, disable randomization
>and reproduce them that way)
If you will not be able to reproduce th
Hi!
On Fri, Nov 30, 2007 at 01:07:05AM +0200, [EMAIL PROTECTED] wrote:
> thanks, you could uprade to a newer kernel eventually, .20 hasn't been
> supported for a long time and i fixed bugs since (unrelated to the current
> issue though).
Latests "stable" in portage now is 2.6.22-hardened-r8. I re
Hi!
On Wed, Dec 05, 2007 at 10:33:18AM -0800, Ned Ludd wrote:
> No.. You must reinstall as I said already.
> Also the "multilib" USE flag is moot. It was replaced long ago by
> profile defines. It exists afaik for legacy reasons.
Huh... Can you please make it 100% clear?
If somebody has any 64-b
Hi!
On Wed, Dec 05, 2007 at 11:39:04AM -0800, Ned Ludd wrote:
> I already made it 100% clear! You can not upgrade cleanly unless you do
> a lot of work. far more work than any gentoo dev in his right mind will
> tell you or suggest. In short. IT DOES NOT WORK! It's never worked. The
> amd64 team d
Hi!
Try this one:
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
and read `man iptables`, paragraph "TCPMSS" for description of this issue.
P.S. Looks like your question is offtopic in this maillist, probably you
should use gentoo-server@ for such questions.
--
Hi!
On Wed, Feb 06, 2008 at 10:24:20AM +0500, Алексей Лесовский wrote:
> Hello all. and Sorry my English
Please post more information. We need error message text, and please
attach your kernel's .config file.
> Думаю дело в том что проц двухядерный, потому как раньше не сталкивался на
> однояде
Hi!
On Tue, Feb 12, 2008 at 08:27:21AM +0100, Natanael Copa wrote:
> Attatched is a slightly modified version of the exploit that should
> compile for you. (uses sysconf(_SC_PAGE_SIZE) rather than PAGE_SIZE from
> asm/page.h)
Actually, such sort of mistakes in exploits exists just to prevent it
c
Hi!
On Sun, Feb 24, 2008 at 06:15:22AM -0800, Grant wrote:
> Are a hardened profile, kernel, and related USE flags beneficial on a
> machine on which only I log in and no ports are open?
If you open website, or download and run mp3, or download and open .xls,
etc. - do any action which result in
Hi!
On Sat, Mar 08, 2008 at 08:16:43AM +, Hieu, Luu Danh wrote:
> Well I guess lesson learned from this is that be careful about openssh
> when it's a remote machine :) I once had this problem with a dedi
> server (though I was lucky that I had znc still open, and that it had
> a "shell" modul
Hi!
In several days after upgrade to 2.6.25-hardened-r4 my workstation hangs.
That was 100% hang - system was not accessible from network, no
information in logs or on console (usual X desktop was on monitor).
That time I was on vacation, so I noticed this and rebooted system several
days later.
Hi!
Can you please explain to me what these records in my logs mean?
2008-09-27_11:35:55.93144 kern.alert: grsec: From 78.53.3.223: denied
resource overstep by requesting 180883456 for RLIMIT_STACK against limit
8388608 for /bin/cat[cat:10111] uid/euid:81/81 gid/egid:81/81, parent
Hi!
On Sat, Sep 27, 2008 at 03:42:33PM +0300, Alex Efros wrote:
> Can you please explain to me what these records in my logs mean?
>
> 2008-09-27_11:35:55.93144 kern.alert: grsec: From 78.53.3.223: denied
> resource overstep by requesting 180883456 for RLIMIT_STACK a
Hi!
On Mon, Sep 29, 2008 at 05:46:28PM +0200, Javier Mart?nez wrote:
> I think it's not a good idea to do what you have done, people answers
> questions if they know the answer and they want to do it (and have
> time to do so). Please think that you didn't pay anybody to demand
> nothing.
I under
Hi!
On Mon, Sep 29, 2008 at 06:10:00PM +0200, Javier Mart?nez wrote:
> PD: to see why the stack growth so much you can only pass gdb to the
> binary itself, as you can suppose I can't know why it happens to you.
While trying to strace I got smaller example which has same effect - it
generate grs
Hi!
On Mon, Sep 29, 2008 at 06:46:18PM +0200, [EMAIL PROTECTED] wrote:
> maybe it's because of what you said:
> > I've no idea why grsec complain in logs about it.
> at this point it's clear that you didn't quite read the description of
> GRKERNSEC_RESLOG which is what you've apparently enabled. i
Hi!
On Tue, Sep 30, 2008 at 12:29:09AM +0100, Adam James wrote:
> What's the output of `strace perl -e 'exec "/bin/pwd"' 2>&1 \
> |grep -i rlimit`?
>
> Also try invoking perl with `env -i` to rule out any environment issues.
Results are same, with and without `env -i`:
$ env -i strace /usr/bin/
Hi!
On Sun, Sep 21, 2008 at 11:10:05AM -0700, Gordon Malm wrote:
> > In several days after upgrade to 2.6.25-hardened-r4 my workstation hangs.
> > That was 100% hang - system was not accessible from network, no
> > information in logs or on console (usual X desktop was on monitor).
> >
> > That ti
Hi!
On Sat, Nov 08, 2008 at 11:13:47PM +0200, [EMAIL PROTECTED] wrote:
> is overstepped, the given process should get a segfault on all execution
> paths that i checked yet it clearly hasn't happened according to the strace.
yeah
> so that leaves one option open, some bug/misreporting by grsec (or
Hi!
On Sat, Nov 08, 2008 at 11:55:05PM +0200, [EMAIL PROTECTED] wrote:
> hmm that's a bit too old kernel for us, can you try your .config with a more
> recent one, preferably .27.5 that spender just put up on his test page? what
I've tried sys-kernel/vanilla-sources-2.6.27.5 with (separately) bot
Hi!
On Mon, Nov 10, 2008 at 12:31:17PM +0100, [EMAIL PROTECTED] wrote:
> Question is: do you use a hardened toolchain pie-ssp enabled, or a
> regular? It would be interesting to test it using a non-hardened userland
> with a grsec-enabled kernel...
I use hardened toolchain, but it's ease to test
Hi!
On Mon, Nov 10, 2008 at 07:13:52AM +0100, [EMAIL PROTECTED] wrote:
> It would be good from Alex to provide his recipe for me to try out.
This one doesn't trigger it on your system?
for i in $(seq 1 10); do perl -e 'exec @ARGV' /bin/pwd; done
Can you show your cron job then?
--
Hi!
On Tue, Nov 25, 2008 at 05:00:45PM +0200, Jan Klod wrote:
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
> workstation with Xorg and other nice KDE apps (only some of which should be
> granted access to files in folder X). I would like to read others opinion,
Hi!
On Tue, Nov 25, 2008 at 06:39:26PM +0200, Jan Klod wrote:
> Could you post a list of apps, that need PaX lifted?
Most of this already done by portage when emerging apps, so you rarely
need to do this manually. Few examples come in my mind is operawrapper for
running complex Flash/Flex applica
Hi!
On Tue, Nov 25, 2008 at 09:51:09PM +0100, Javier Martínez wrote:
> Benchmarks are very relative, one RSBAC system logging all
> READ/READ_OPEN requests made (granted or not) is something like a
> turtle. They depend how did you configure your system.
Yeah, that's true, I forget about RSBAC-li
Hi!
On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote:
> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux
> roo
Hi!
It's ~6am here and I'm too tired to file new bugs, I wanna sleep a little first.
While in general Gentoo "stable" branch is very stable, shit always happens.
This time is was upgrade from 2.6.26-hardened-r9 to 2.6.27-hardened-r8.
First issue: many perl scripts (including FastCGI servers) fa
Hi!
On Fri, Mar 06, 2009 at 05:57:18AM +0200, Alex Efros wrote:
> For now I just rollback to previous kernel (I think that will be more
> secure than paxctl -m for apache, plus I afraid new kernel may do other
> nasty things too).
>
>
> Resume: this upgrade kill both perl and
Hi!
On Fri, Mar 06, 2009 at 09:15:36AM +0200, pagee...@freemail.hu wrote:
> two things i'd like you to try:
>
> 1. 2.6.28.7 and PaX alone
> 2. get coredumps and analyze them for the usual things, to see why the
> segfaults
>occured. if that doesn't point to anything, maybe try an strace as w
Hi!
On Fri, Mar 06, 2009 at 07:28:17PM +0200, pagee...@freemail.hu wrote:
> it's always the latter ;), i need to make sure it's a PaX problem.
Ok. With this kernel, using pax-linux-2.6.28.7-test19.patch, I was able to
reproduce issues with apache/php/{ioncube,zendoptimizer} and perl module
Math::
Hi!
On Fri, Mar 06, 2009 at 11:12:59PM +0200, pagee...@freemail.hu wrote:
> ah crap, i know what it is. it's a several years old glibc bug where someone
> put a certain variable into the RELRO segment but forgot that it'll be written
> to later when a library with RWE GNU_STACK is loaded. the work
Hi!
On Fri, Mar 06, 2009 at 03:25:16PM -0800, Ned Ludd wrote:
> FYI.. PaX Team maintains the PaX kernel and has little control over what
> fixes go into the "next" hardened-sources. Also seems to me a little
> strange that the PaX Team would have to put a work-around in the kernel
> for a bug in g
Hi!
On Sun, Mar 22, 2009 at 11:53:07AM -0700, Gordon Malm wrote:
> To attain sha512 shadow password hash capability one must:
> 1. Upgrade to >=sys-libs/glibc-2.8
> 2. Compile (+install) >=sys-libs/pam-1 against >=sys-libs/glibc-2.8
> 3. Compile (+install) >=sys-auth/pambase-20081028 with USE="
Hi!
On Wed, Mar 25, 2009 at 06:21:30AM +0200, Alex Efros wrote:
> > # fgrep '$1$' /etc/shadow
> According to that fgrep command it looks like I've already used sha512
Sorry, just ignore me, everything is ok. :)
--
WBR, Alex.
Hi!
On servers I build kernel without module support. But on workstation it's
impossible to avoid using kernel modules: vmware-modules, nvidia-drivers...
I'm usually load required modules while boot and then do in /etc/sysctl.conf:
kernel.grsecurity.disable_modules = 1
kernel.grsecurity.g
Hi!
subj. same kernel with GrSecurity&PaX switched off boot ok.
more details: http://bugs.gentoo.org/show_bug.cgi?id=264617
anybody have idea which options in GrSecurity/PaX _MAY_ trigger that
behaviour, or I have to try switch on/off all of them, one by one? :(
--
WBR,
Hi!
switching off CONFIG_PAX_MPROTECT solve this issue
Now I'll try to paxctl -m for /bin/bash and /sbin/runit-init (with
switched on CONFIG_PAX_MPROTECT, of course)... yeah, that solves this
issue too.
So, now we've very strange situation: PaX require -m for process N1.
This isn't related to m
Hi!
On Thu, Apr 02, 2009 at 09:37:09AM -0600, RB wrote:
> I question whether your configurations are *precisely* the same. If I
> had to guess (and I do), I'd guess that the system in question wasn't
> wholly built with the -hardened toolchain.
Yesterday servers was upgraded to sys-libs/glibc-2.
Hi!
Also, I've just compared runit-init & bash binaries on both servers.
Here results from server with this issue:
# for i in /bin/bash /sbin/runit-init; do ls -l $i; md5sum $i; paxctl -v
$i; done
-rwxr-xr-x 1 root root 858476 2009-04-01 23:44 /bin/bash
1f217dcd279f9105ecb0ffd8b5e1d1
Hi!
On Thu, Apr 02, 2009 at 07:36:18PM +0300, Alex Efros wrote:
> - server should be same, at least we buy them both as "HP ProLiant DL140 G3"
> and they both has same BIOS version "1.14 08/13/07" so I suppose they
> should be same unless some hardware is broke
Hi!
On Thu, Apr 02, 2009 at 12:54:45PM -0600, RB wrote:
> PaX. The memory management changes it provides in combination with
> the memory management changes introduced in 2.6.28 could well
> exacerbate existing issues in a RAM module that weren't being
> triggered previously.
Yeah, that's true.
Hi!
On Thu, Apr 02, 2009 at 11:17:10PM +0200, pagee...@freemail.hu wrote:
> can you strace bash/etc to see what happens? probably we'll see what runs
how do I can strace process N1?
PaX doesn't kill bash if it executed not as process N1.
> against the MPROTECT restricions. my guess is either tex
Hi!
On Fri, Apr 03, 2009 at 12:43:26AM +0200, pagee...@freemail.hu wrote:
> hmm, i don't get it. are you saying that with MPROTECT enabled in the
> kernel, bash fails to start when run as init, but works otherwise?
>
> hmm, so nothing stands out, and only pid=1 is ever affected? i've never seen
>
Hi!
On Fri, Apr 03, 2009 at 08:50:37AM +0200, pagee...@freemail.hu wrote:
> ok, can you add a printk into mm/mmap.c:mmap_region and print out all the
> arguments? that will show us at least what the kernel intended to mmap
> during execve. something like:
>
> printk("f:%p a:%0lx l:%0lx f:%0lx v:%
Hi!
On Thu, Apr 09, 2009 at 09:07:39AM -0700, Grant wrote:
> I seem to need to remember to paxctl -m the firefox binary whenever I
> upgrade firefox. This inevitably leads to a browser crash and lost
> time/info. Can I set up paxctl -m to persist, even if firefox is
> upgraded?
Put this into yo
Hi!
On Thu, Apr 09, 2009 at 07:14:11PM +0300, Alex Efros wrote:
> and create executable shell script in that dir: mozilla-firefox-bin.postinst
> ---cut---
> #!/bin/bash
> ewarn "Running chpax -m /opt/firefox/firefox-bin to avoid crash on flash!"
> chpax -m /opt/firefox/fi
Hi!
On Fri, Apr 10, 2009 at 11:35:36AM +0800, Pavel Labushev wrote:
> A simple cron job or slightly-less-simple RBAC policy can do the trick.
> There's no need to mess with portage, imho.
Cron job is just waste of time (this is one-time task after installing
package, not once-per-minute task) and
Hi!
Today I found server nearly unresponsible (loadavg around 30, ssh type speed
around few chars per second). It looks like nearly all processes (very
different ones) eat each 3-5% CPU, with top's report about 95% CPU spend
in "system" (i.e. not "user" or "wait"). At a glance it looks like kernel
Hi!
On Thu, May 13, 2010 at 09:10:47PM +0200, Javier Juan Martínez Cabezón wrote:
> Why do you think is a PaX bug? It seems that PaX REFCOUNT is doing his
> homeworks.
I've no idea is it PaX bug - that's why subject line is "PaX bug?" instead
of "PaX bug!!!". :)
> Maybe I'm wrong (to the boss, p
Hi!
On Sat, May 15, 2010 at 12:37:58PM +0300, Constantine Kardaris wrote:
> add "anarchy" overlay
Hmm. So, what is recommended way to run reliable and secure server and/or
workstation today?
- use stable x86 kernel from main portage, which is outdated .28 without
support from PaX/GrSec team?
-
Hi!
While discussing inability to run 64-bit VMware guests on 32-bit Gentoo
Hardened host I got reply: it's because of GrSec/Pax bug related to
"way that vmap(..., VM_PAGE_KERNEL_EXEC) may map a page as
non-executable, despite the flag requesting an executable mapping":
http://communi
Hi!
On Fri, Jul 09, 2010 at 12:15:36AM +0200, pagee...@freemail.hu wrote:
> so in general .32+ should work, as far as this problem is concerned.
> unfortunately
> i couldn't find a working ebuild for vmware 7 yet, so i can't tell if
> there're more
> problems or not.
it's in layman's "vmware" o
Hi!
I've just upgraded to 2.6.32, thanks to hardened team!
At a glance everything is fine, except one thing: I'm unable to find
feature "Runtime module disabling" (CONFIG_GRKERNSEC_MODSTOP).
There new "Harden module auto-loading" (CONFIG_GRKERNSEC_MODHARDEN)
feature, but it looks very different.
Hi!
On Thu, Jul 22, 2010 at 01:42:07PM +0200, "Tóth Attila" wrote:
> However /proc/sys/kernel/modules_disabled is still there. That's why my
> init script hadn't complained.
Hmm. Previously it was /proc/sys/kernel/grsecurity/disable_modules.
That's why my init script had complained. :)
But looks
Hi!
On Fri, Apr 03, 2009 at 02:04:31AM +0300, Alex Efros wrote:
> To resume, what we've now:
>
> Fact 1: previous kernel (2.6.27-hardened-r8) doesn't hangs
> Fact 2: kernel hang after "Freeing unused kernel memory:"
> * so I suppose it failed to start p
Hi!
On Sat, Oct 23, 2010 at 03:21:45PM +0300, Alex Efros wrote:
> This just happens again: after upgrade from 2.6.32-hardened-r9 to
> 2.6.32-hardened-r22 kernel hangs after "Freeing unused kernel memory:".
> With init=/bin/bash it boots ok (bash flags: ---x-e--).
> With
Hi!
On Sat, Oct 23, 2010 at 07:15:19PM +0200, pagee...@freemail.hu wrote:
> can you boot the machine then paxctl -zex /sbin/runit-init (or a copy
> of it) then strace it and post the logs? also what's the kernel .config
> on these machines like (PAE and PaX at least)?
No, I don't think so. /sbin/
Hi!
Here is one more issue related to this kernel upgrade. This issue happens
not only on these 4 servers, but even on my home workstation. This command:
$ python2.6 -c 'from twisted.web import static'
works ok on kernel 2.6.32-hardened-r9 and segfault on 2.6.32-hardened-r22
(you may need to
Hi!
On Mon, Oct 25, 2010 at 10:14:01AM +0800, Pavel Labushev wrote:
> > Upgrading to python-2.6.6-r1 should fix this. You'll also need to
> > upgrade portage to 2.1.9.x.
> >
> > See http://bugs.gentoo.org/show_bug.cgi?id=329499
>
> No, 2.6.6-r1 breaks things another way, see my last comments on
Hi!
On Wed, Dec 08, 2010 at 11:37:28PM -0500, Anthony G. Basile wrote:
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels. The ebuilds just hit the tree.
While trying to build hardened-sources-2.6
Hi!
I've successfully compiled and boot 2.6.36-hardened-r5 on X86 with this
in /etc/portage/package.keywords:
=app-emulation/vmware-modules-238.3
=app-emulation/vmware-workstation-7.1.3.324285
=x11-libs/libview-0.6.6
=x11-drivers/nvidia-drivers-260.19.26
=media-video/nvidia-set
Hi!
On Sun, Jan 09, 2011 at 03:55:14PM +0100, "Tóth Attila" wrote:
> What would you guys suggest to test the system with besides emerging
> qt-gui? Are there any memtest equivalent for checking the CPU?
You can try app-benchmarks/cpuburn. It's not memtest equivalent, of
course, but it may help yo
Hi!
On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote:
> >> I don't think there are any issues with it. The only argument I know of
> >> is that it increases the attack surface for a feature that 0% + epsilon
> >> of people use.
> > Tests done by a colleague show that, right now, t
Hi!
I'm using nvidia drivers on hardened workstation (I know this doesn't
supported but I've manually unmasked them) and set `eselect opengl` to
nvidia because this is only way to get hardware 3d acceleration in vmware.
Because of this I've to use `paxctl -m` on few non-critical binaries.
But aft
Hi!
On Wed, Feb 16, 2011 at 06:19:59PM +0200, pagee...@freemail.hu wrote:
> what's lddtree say? here libGL is loaded for libgtk-x11-2.0.so (x11-libs/gtk+)
> which is needed when you have USE=gtk. so you should look at gtk+ and see why
> it needs libGL (or better, whether it's configurable).
Thank
Hi!
Please take a look at http://bugs.gentoo.org/show_bug.cgi?id=347365
Requiring PaX softmode while emerging mono sounds just plain wrong,
there should be way to do same using paxctl for single binary.
--
WBR, Alex.
Hi!
On Fri, Mar 06, 2009 at 03:25:16PM -0800, Ned Ludd wrote:
> > On Fri, Mar 06, 2009 at 11:12:59PM +0200, pagee...@freemail.hu wrote:
> > > ah crap, i know what it is. it's a several years old glibc bug where
> > > someone
> > > put a certain variable into the RELRO segment but forgot that it'l
Hi!
On Tue, Mar 08, 2011 at 02:05:46PM -0500, Mike Frysinger wrote:
> if there's a bug in glibc, an actual bug in bugs.g.o needs to be
> opened with real details/patches. otherwise, nothing is going to
> change.
Actually, from initial discussion I got impression this is *well* known
(at least to
Hi!
On Tue, Mar 08, 2011 at 03:49:34PM -0500, Anthony G. Basile wrote:
> Take a look at [1] for a good laugh.
Yep, that was funny. :) BTW, if I understood correctly, with proposed
patch my apache won't segfault anymore, but zendoptimizer and ioncube libs
won't be loaded… so this isn't looks like
Hi!
On Sun, Apr 17, 2011 at 02:17:21AM +0200, "Tóth Attila" wrote:
> Reverting to the old binary makes the problem go away.
Any chance it's as trivial as somehow modified old binary - like with paxctl?
Also, you can try to use non-hardened gcc to build apache, just in case.
--
Hi!
On Sat, Nov 12, 2011 at 02:37:40PM -0600, Matt Thode wrote:
> > May I ask if nvidia is still hardend unfriendly? I need CUDA available.
> nvidia drivers still don't play well yet.
>
> There are ways to get it working (some people have) but I don't know what
> exactly they did (I know they p
Hi!
On Sun, Dec 11, 2011 at 10:18:51AM +, Sven Vermeulen wrote:
> Also consider hardening your system settings-wise. I would appreciate if you
> take a look at
> http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
Some points at that guide looks strange to me. For example
Hi!
On Sun, Dec 11, 2011 at 02:25:19PM +, Sven Vermeulen wrote:
> > 1) How can
> > 4.2.4.1. Root Logon Through SSH Is Not Allowed
> > increase security, if we're already using
> > 4.2.4.2. Public Key Authentication Only
> > Disabling root may have sense with password auth, but
Hi!
I've just updated to opera-11.60.1185 and firefox-bin-8.0.
Opera work just fine, but firefox fail to start (hangs using 100% CPU)
because paxmarking -m isn't enough. To fix firefox paxmarking -r needed too:
paxctl -r /opt/firefox/firefox
I'm using only GrSec+PaX, so there are may be also
Hi!
On Mon, Dec 12, 2011 at 06:54:17PM +, Kevin Chadwick wrote:
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
No, I don't have this one.
> Yeah it's been like that for a while. I think gentoo-hardened
> automatically sets those pax flags. See this link.
Firefox's ebuild set only -m flag, which isn't
Hi!
On Wed, Dec 14, 2011 at 04:27:45PM +0100, Javier Juan Martínez Cabezón wrote:
> I told you, with a secure TPE (so scripts fully controlled) tell me
> how to write one kernel exploit under bash without calling external
> code.
How about
$ perl -e 'exploit code here'
or just
$ perl
1 - 100 of 200 matches
Mail list logo
