Yiannis wrote:
Hello,
I am running hardened gentoo with the toolchain provided by the
xake-toolchain overlay. I am looking for a way to use virtualization
with my current config. I am aware of linux-vserver project which has
grsecurity integration, but as far as I remember does not play well
wit
Yiannis wrote:
On Sat, 08 Aug 2009 15:28:10 -0400
Michael Orlitzky wrote:
Yiannis wrote:
Hello,
I am running hardened gentoo with the toolchain provided by the
xake-toolchain overlay. I am looking for a way to use virtualization
with my current config. I am aware of linux-vserver project
Gordon Malm wrote:
Hello Hardened users, this is just a quick heads up. GCC 4.3.4 will be going
stable on hardened profiles shortly. Unlike Hardened GCC 3.4.6, this version
lacks default SSP building. However, FORTIFY_SOURCE=2
and -fno-strict-overflow are now enabled by default. Other Harde
Grant wrote:
I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
hardened/linux/amd64/10.0) for a very long time. Now it looks like
gcc-4.3.4 has been stabilized for hardened profiles. Has anyone
tested it? This system is critical for me, so I've got to be careful.
- Grant
Grant wrote:
That's great. I'm up against a mysql upgrade that doesn't want to go
through without the new gcc, so I'm going for it now.
I have 4 desktops on a non-hardened profile and 1 server on a hardened
profile. I'd love to put the desktops on a hardened profile with this
new gcc. Can I
Mike Edenfield wrote:
On 10/27/2009 6:50 PM, Pavel Labushev wrote:
Michael Orlitzky wrote:
using hardened for a desktop machine. A few packages, e.g.
* Mplayer
* OpenOffice
There wasn't a /single/ failure on x86 with these two for me, despite I
compiled it with 3.4.6/4.1.2/4.3.3
Machell, Jonathan wrote:
Hello there,
We're currently trialling Gentoo to possibly host some of our web-servers. I've
used Gentoo for over eight years so I'm leading these trials.
I've subscribed to this mailing list but also gentoo-server and
gentoo-security. I'm trying to keep up to speed w
Ed W wrote:
On 08/03/2010 05:49, Joseph C. Lininger wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I think I may be running short of entropy, presumed due to SSP?
Essentially I have two or three digit numbers from
/proc/sys/kernel/random/entropy_avail
Try timer_entropyd. It'
On 04/19/10 13:16, Ed W wrote:
I guess others will disagree, but I have never been a huge fan of the
kernel ebuilds. I'm just not clear what they buy you over downloading
and compiling your own? I think there are a few extra patches in the
case of gentoo-sources, but that seems to be about it?
On 11/06/2010 05:43 PM, Anthony G. Basile wrote:
>
> Hi hardened users,
>
> You may have heard by now that hardened is thinking of changing its
> profile structure. The current structure is crazy complex and there is
> no need for it. Basically we're going to be removing the versioning in
> our
I've got (at least) two servers that lose their root partition after
this upgrade. One of them has an HP cciss SCSI RAID controller; the
other has a single IDE hard drive. Assuming the problem is something
common, I'll stick to describing the one with the array for now.
First of all, I didn't touc
On 12/26/2010 03:46 AM, pagee...@freemail.hu wrote:
> On 26 Dec 2010 at 1:59, Michael Orlitzky wrote:
>
>> I've got (at least) two servers that lose their root partition after
>> this upgrade. One of them has an HP cciss SCSI RAID controller; the
>> other has a single
On 12/26/2010 12:57 PM, pagee...@freemail.hu wrote:
> On 26 Dec 2010 at 12:06, Michael Orlitzky wrote:
>
>> I do have UDEREF enabled:
>>
>> # grep UDEREF .config
>> CONFIG_PAX_MEMORY_UDEREF=y
>>
>> I can try disabling it when I'd be willing to
On 12/26/2010 12:57 PM, pagee...@freemail.hu wrote:
> On 26 Dec 2010 at 12:06, Michael Orlitzky wrote:
>
>> I do have UDEREF enabled:
>>
>> # grep UDEREF .config
>> CONFIG_PAX_MEMORY_UDEREF=y
>>
>> I can try disabling it when I'd be willing to
On 12/26/2010 03:00 PM, pagee...@freemail.hu wrote:
> On 26 Dec 2010 at 14:09, Michael Orlitzky wrote:
>
>> Challenge accepted. I'm dressed, the car's cleaned off, and I'm
>> recompiling with UDEREF=n.
>
> passing pax_nouderef on the kernel cmdline shoul
I've loaded 2.6.36-hardened-r7 on all but one of my servers, and they
boot normally (and don't require root=...).
The last straggler is due to an apache problem (goes away when I reboot
to 2.6.32-hardened-r22) that I don't think I'm willing to reproduce
during business hours.
I was able to figure out my new apache problem. It seems that
PAX_MEMORY_UDEREF and apache's EnableMMAP directive don't get along
sometimes:
http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
With UDEREF enabled and MMAP on, I get random inappropriate 206 response
codes everywhere causin
On 01/08/2011 01:22 PM, Anthony G. Basile wrote:
> On 01/08/2011 07:09 AM, pagee...@freemail.hu wrote:
>> On 7 Jan 2011 at 23:57, Michael Orlitzky wrote:
>>
>>> I was able to figure out my new apache problem. It seems that
>>> PAX_MEMORY_UDEREF and apache'
On 02/09/11 22:09, Anthony G. Basile wrote:
> Hi everyone,
>
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> profiles. To be honest, I see no good reason. I want to add it back.
> Before I do, does anyone in the community know of any issues with
> hardened + ipv6? I don't
On 02/15/2011 10:52 AM, Alex Efros wrote:
> Hi!
>
> Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used,
On 03/29/11 07:17, Magnus Granberg wrote:
> [22:55:55] HP smart array, the CCISS driver is borked on 2.6.37
> and maybe 2.6.38
> [22:56:07] this is a blocker to stabilizing 2.6.37 right now
> [22:56:25] I thought that has been known for a while now
> though
> [22:56:29] if i can't resolve it,
On 03/29/2011 06:49 PM, Anthony G. Basile wrote:
> On 03/29/2011 11:59 AM, Michael Orlitzky wrote:
>> On 03/29/11 07:17, Magnus Granberg wrote:
>>> [22:55:55] HP smart array, the CCISS driver is borked on 2.6.37
>>> and maybe 2.6.38
>>> [22:56:07] this is a
On 03/30/11 07:56, Anthony G. Basile wrote:
>
> Yes, the cciss array will not be recognized and as a result you get a
> panic when root can't be found. Not a very revealing bug. We should
> also make sure that I wasn't stupid and missed some new kernel option
> that's needed, but I don't think s
It looks like these stopped being published:
http://distfiles.gentoo.org/releases/amd64/current-stage3/
Any reason? They can still be found here,
http://gentoo.osuosl.org/releases/amd64/autobuilds/
but it looks like even those stopped being built a week ago.
On 06/06/2011 03:54 PM, Sven Vermeulen wrote:
>
> The last one now is of 20110602, which is fairly recent.
>
> The autobuilds are not always created successfully. Updates on compilers
> or other toolchain changes might affect build successes. When these
> builds fail, they are not propagated so y
On 06/06/11 17:05, Matthew Thode wrote:
> On Mon, 06 Jun 2011 16:38:06 -0400
> Michael Orlitzky wrote:
>
>> On 06/06/2011 03:54 PM, Sven Vermeulen wrote:
>>>
>>> The last one now is of 20110602, which is fairly recent.
>>>
>>> The autobui
On 04/21/2012 07:05 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> I'd like to remove USE="-unicode" from make.defaults at the root level
> of all hardened profiles. The request came from jmbsvicetto because he
> required it for the hardened stages to build, but to be honest, I don't
> know w
On 05/20/2012 05:35 PM, Alex Efros wrote:
> Hi!
>
> ACL
> Not sure about consolekit requirement above, but otherwise it looks
> useless (if you don't need to use complicated file permissions).
ACLs are actually very nice if you can get over the initial hurdle of
figuring out how they work
On 06/25/12 23:03, Alex Efros wrote:
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in cr
On 06/26/2012 03:38 AM, Darknight wrote:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would
On 06/26/12 20:42, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 26/06/12 07:43, Michael Orlitzky escribió:
>> It's easy enough to set USE="-ipv6" manually of course, but the same
>> argument works for USE="ipv6". So, I think the default should be
I've got an old problem with clamd, which creates a bunch of threads.
Every so often the logs will show e.g.,
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01:41 mx1 clamd[24070]: pthread_create failed
Jul 31 06:01
On 08/01/2012 06:56 AM, PaX Team wrote:
> On 31 Jul 2012 at 22:12, Michael Orlitzky wrote:
>
>> I get nothing in my dmesg, which otherwise records most limit-based denials.
>>
>> Is there some way I can troubleshoot this? It works on amd64 with the
>> same kernel har
On 08/01/12 09:08, PaX Team wrote:
> On 1 Aug 2012 at 8:41, Michael Orlitzky wrote:
>
>> Thanks, here are strace -f logs from both the hardened box (where it
>> fails) and a vanilla gentoo x86 VM (where it works).
>
> mmap2(NULL, 30720, PROT_READ|PROT_WRITE,
>
On 08/01/2012 05:29 PM, PaX Team wrote:
> On 1 Aug 2012 at 9:56, Michael Orlitzky wrote:
>
>> But, I'd ruled out the stack size limitation because resource oversteps
>> are supposed to be reported:
>
> it's not a resource overstep but simply not enough virtu
Initially sent to gentoo-server, just remembered there are probably a
few ACL users here too.
Original Message
I have a directory (drupal modules directory) where developers regularly
untar (or cp) archives. The contents should be rwx for the 'developers'
group, so that some oth
On 08/06/2012 02:31 PM, Michael Orlitzky wrote:
>
> I have a directory (drupal modules directory) where developers regularly
> untar (or cp) archives. The contents should be rwx for the 'developers'
> group, so that some other developer can update or remove the module later.
On 12/22/2012 09:37 AM, Alex Efros wrote:
> Hi!
>
> Ok, let's forget about VMware/VirtualBox, 3D acceleration, MacOSX…
>
> I want all of this, but, hell, I can probably live without it.
>
> Is there exists __ANY__ way to run at least Win7 on 64-bit hardened gentoo
> with good enough speed for co
On 01/03/2013 08:45 PM, Anthony G. Basile wrote:
> Can people please comment on the PT_PAX to XATTR_PAX migration guide
> before I put it up on line
>
> http://dev.gentoo.org/~blueness/zzz/pax-migrate-xattr.xml
>
Everything looks good to me except the overlay instructions. The
suggestion to cop
On 01/04/2013 07:11 AM, Anthony G. Basile wrote:
>
>>
>> You also mention adding the overlay and "make sure you set up your
>> repos.conf." I'm just not sure what you mean there, I've never used
>> repos.conf for anything. What am I supposed to do with it?
>
> In /etc/portage/repos.conf you shoul
I recently updated all of our servers to 3.7.0-hardened (from
3.4.2-hardened-r1) and re-did our iptables rules to avoid future pain[1]
from the state -> conntrack switch.
The first thing I noticed was that vsftpd apparently crashed on my own
box, michael.orlitzky.com. The server stayed up, though,
On 01/12/2013 06:16 PM, Anthony G. Basile wrote:
> Its e1000. This was an unknown issue until just recently. Is supposed
> to be fixed in the latest 3.7.1-r2. Let me know if it is and I'll drop
> 3.7.0 in favor of 3.7.1-r2.
>
> My appologies. I do test, but its impossible to test on every pos
On 01/12/2013 06:22 PM, "Tóth Attila" wrote:
> Regarding the panic also see:
> CONFIG_GRKERNSEC_BRUTE kernel config option.
> It tries to counteract brute-forcing probes.
> In case of process running as a user it kills, if it's running as root it
> makes the system panic.
Oh, so it's just a normal
On 01/12/13 18:16, Anthony G. Basile wrote:
> Its e1000. This was an unknown issue until just recently. Is supposed
> to be fixed in the latest 3.7.1-r2. Let me know if it is and I'll drop
> 3.7.0 in favor of 3.7.1-r2.
Bad news:
http://michael.orlitzky.com/tmp/e1000.jpg
On 01/13/2013 04:16 PM, PaX Team wrote:
>
> that's a known false positive of the size overflow plugin,
> see http://forums.grsecurity.net/viewtopic.php?f=3&t=3208&start=15
>
> once you fix that and you can still reproduce the null deref,
> can you email me the corresponding vmlinux along with the
On 01/13/13 16:16, PaX Team wrote:
>
> that's a known false positive of the size overflow plugin,
> see http://forums.grsecurity.net/viewtopic.php?f=3&t=3208&start=15
>
> once you fix that and you can still reproduce the null deref,
> can you email me the corresponding vmlinux along with the oops
On 01/23/13 10:17, Michael Orlitzky wrote:
> On 01/13/13 16:16, PaX Team wrote:
>>
>> that's a known false positive of the size overflow plugin,
>> see http://forums.grsecurity.net/viewtopic.php?f=3&t=3208&start=15
>>
>> once you fix that and you
I've followed the migration guide,
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX
on a few machines now without problem. But, I have a couple of routers
that should experience a minimum of downtime. The guide has you reboot
twice: once to enable XATTR_PA
On 09/09/2013 09:49 AM, Alex Efros wrote:
> Hi!
>
> On Mon, Sep 09, 2013 at 09:30:56AM -0400, Michael Orlitzky wrote:
>> That is, can I disable PT_PAX, enable XATTR_PAX, reboot, and run
>> migrate-pax? Or might that cause problems?
>
> You can migrate with just one r
On 09/09/2013 01:47 PM, Anthony G. Basile wrote:
>
> That was my mistake. When I dropped XT I forgot to update the comment.
> We tried XT right off the bat, but discovered a couple of problems: 1)
> install doesn't preserve xattr. we have a solution but it isn't working
> that well, and 2)
On 09/09/2013 05:26 PM, Anthony G. Basile wrote:
>
> You can use XT_PAX provided you're not running something like a
> tinderbox, ie doing massive amounts of ebuilds. The problem is that
> install is being wrapped by install.py. As a result every instance of
> install mean invoking the python
On 09/10/2013 07:44 AM, Anthony G. Basile wrote:
> On 09/09/2013 07:45 PM, Michael Orlitzky wrote:
>> On 09/09/2013 05:26 PM, Anthony G. Basile wrote:
>>>
>>> You can use XT_PAX provided you're not running something like a
>>> tinderbox, ie doing massive
Due to my own stupidity (forgot to mount ext3 with -o user_xattr), I
noticed that many ebuilds call pax-mark without a corresponding "||
die". Since pax-mark returns non-zero on failure, does not die itself,
and is most likely required for the package to work, it seems like the
'die' should be ther
On 10/19/2013 08:29 PM, Anthony G. Basile wrote:
>
> Can you check to see if the || die is required only on packages before
> EAPI = 5? Or is it on all EAPI versions?
It's required anywhere you want the ebuild to die when pax-mark fails.
AFAIK, the EAPI >= 4 auto-die behavior only applies to th
On 10/20/2013 07:39 PM, Anthony G. Basile wrote:
>
> The profile idea is a good one, but I'm always worried about people who
> switch profiles. If we don't do the markings on *all* gentoo systems,
> then someone switching from vanilla to hardened may have to re-emerge
> lots of packages. Unlik
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/22/2013 08:38 AM, Allan Wegan wrote:
>
> Has the bottleneck already been identified? Python should not be
> much slower than other languages for solving mostly IO-based
> problems.
When you emerge something with a bazillion files, the install w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/22/2013 03:08 PM, Allan Wegan wrote:
>> When you emerge something with a bazillion files, the install
>> wrapper (and thus the python interpreter) get launched that many
>> times. It's the startup time that kills it.
>
> Should that PAX markings
I'm hitting a nasty bug with SSP/PHP:
https://bugs.gentoo.org/show_bug.cgi?id=491100
Recompiling PHP with hardenednossp fixes the problem, but on this one
server we're recompiling PHP a lot (as we figure out which extensions
are needed to migrate a bunch of classic ASP sites).
Supposing I'm ve
On 12/17/2013 08:57 AM, Alex Xu wrote:
>
> Can't you do CFLAGS=-fno-stack-protector in p.env?
>
Yep, thanks. I had to prepend $CFLAGS to it, i.e.,
CFLAGS="${CFLAGS} -fno-stack-protector"
but no crash after a recompile.
Last week, the LMTP daemon on our mail server (HP DL360 G6) crashed.
People noticed that the mail stopped coming in, so I SSHed in to check
on it, and there were some weird traces in the dmesg. While trying to
investigate, I noticed some more badness:
# emerge -1 openntpd
Calculating dependenc
On 05/09/2014 11:29 AM, Mark Gomersbach wrote:
> Maybe a bug somewhere else too, which combination kernel/grsec/pax was used?
>
Whatever came with sys-kernel/hardened-sources-3.11.7-r1:
# uname -a
Linux mmmc2 3.11.7-hardened-r1 #1 SMP Fri Jan 3 23:13:48 EST 2014
x86_64 Intel(R) Xeon(R) CPU
On 05/10/2014 07:14 AM, Joshua Kinard wrote:
>
> I think I ran into this, too, in 3.11. It takes a few days of uptime before
> it happens. Running 3.13.x now on my x64 machine and haven't ran into it
> again. So I second the suggestion to upgrade your kernel.
>
I couldn't come up with a better
On 05/15/2014 09:48 AM, PaX Team wrote:
>
> unfortunately the backtrace is not usable as is due to lack of symbols.
> if you still have the original vmlinux around (or can reproduce it with
> all the debug symbols) then i can take a look and perhaps figure out
> where the refcount overflow was det
On 06/07/2014 08:55 PM, Anthony G. Basile wrote:
>
> When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
> and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
> default and the ebuild automatically does the markings for you, so leave
> the defaults alone
On 06/10/2014 01:50 PM, Anthony G. Basile wrote:
>>
>> Can linux-info.eclass be used to spit out a warning during a python emerge?
>>
>> This,
>>
>>use hardened && CONFIG_CHECK+=" ~CONFIG_PAX_EMUTRAMP"
>>
>> seems like a common pattern. With a little more ingenuity we can
>> probably have it ch
On 09/24/2014 08:14 PM, Jacek wrote:
> Bash in Gentoo (app-shells/bash-4.2_p45) is vulnerable to this threat:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
>
Already fixed:
https://bugs.gentoo.org/show_bug.cgi?id=523592
On 12/23/2014 02:30 PM, waben...@gmail.com wrote:
>>
>> are there any future plans for hardened clang?
>
> Is my question too unspecific or just too stupid for an answer? ;-)
>
Probably just that we don't want to send 100 "no" replies to the mailing
list. You're stuck waiting for a "yes" instead
On 08/21/2015 09:14 PM, Anthony G. Basile wrote:
>
> It happens.
>
> Anyhow, can people please test 4.1.6. I'll rapid stabilize it but I
> don't want to trade one issue for another.
>
If you want to play it safe, you can only rapid stable it on x86 where
the alternative is worse. I've upgrade
On 10/25/2016 10:11 AM, Anthony G. Basile wrote:
>
> I'm testing 4.7.10 and will have it stabilized soon.
>
FWIW, I've been panic-updating all of our x86/amd64 servers (mostly HP
Proliant) to 4.7.10 and nothing has blown up yet.
On 04/08/2017 06:39 AM, Hanno Böck wrote:
For now I'm just investigating whether there's interest in this. I
could create some docs in the wiki on how to get started.
Yeah, sounds like fun. Using ld.gold isn't much of a problem these days,
at least in my experience. Clang works for most thin
On 08/16/2017 10:37 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>
>> Would anyone like to outline a simple process to migrate from
>> hardened-sources + hardened tool-chain to gentoo-sources?
>>
> Unless you want to drop userspace hardening (which most likely you don't
> as it is still u
On 12/02/2017 06:50 AM, Sven Vermeulen wrote:
> On the chat it was noticed that we don't have a hardened/selinux profile
> anymore. Is it OK if I add it, with a parent of
The no-multilib (sub)profile didn't make it over either...
I tried to create this myself and nothing terrible happened. First, I
created the new directory,
profiles/default/linux/amd64/17.0/hardened/no-multilib (1)
So, first question: is there a preference between the two choices there,
either "17.0/hardened/no-multilib" or "17.0/no-multilib/
On 12/15/2017 06:09 AM, Robert Sharp wrote:
>
> MISSING="berkdb gdbm tcpd ptpax session dri urandom"
>
> Is this a deliberate change or are they actually missing?
>
These are all intentional, but perhaps with an unintended side effect.
The default/linux profile sets,
USE="berkdb crypt ipv6 n
On Fri, 2022-08-05 at 16:56 +0800, Turritopsis Dohrnii Teo En Ming
wrote:
>
> Good day from Singapore,
>
> Where can I download security hardened version of Gentoo?
>
There is no specific hardened version to download. When installing
Gentoo, you normally download and extract a generic system im
75 matches
Mail list logo
