Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Jaded stage3 hardened Guide With Grsecurity & PaX ver2.0
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Thu Dec 29, 2005 1:19 pm    Post subject: Jaded stage3 hardened Guide With Grsecurity & PaX ver2.0 Reply with quote

To perform a 2005.1 Stage 3 Hardened Installation with GCC 3.4.5, follow these steps:

With a hardened Stage3 and grsecurity and pax

If your in search of added security, Well look no further, this guide will take you step by step through the process. This Guide should be considered as EXPERIMENTAL. We in the creation of the guide have done alot of testing on this setup and find it very reliable, however there are always possibilies that a bug could show up. If you do have any issues at all please report them So we can try to resolve the issues.

Guide Features
1. Hardened stage3 Tarball
2. nptl
3. GCC3.4.5
4. Hardened-Sources


1. Download and Burn the Minimal Installation CD. The .ISO image required for the hardware used in this example is

Code:
wget http://gentoo.osuosl.org/releases/x86/2005.1/installcd/install-x86-minimal-2005.1.iso


Some might find using the minimal a little boring since its none GUI with only links to play with I like something that has Mozilla-firefox and Gaim and Xchat these tend to help if running into problems with the installation. So here are a few i like to use.

http://kanotix.com/
http://www.lxnaydesign.net/

kanotix is a debain based Livecd And RR4 is a Gentoo Based Livecd

2. Boot using the Minimal Installation CD. At the "boot:" prompt, press <Enter> to select the default gentoo kernel.

3. Configure LAN Card. We're assuming that your LAN card has been recognized and that you can obtain a LAN connection via DHCP.

Code:
# dhcpcd eth0



4. Configure Your Hard Disk

4.1 View the Hard Drive's Operational Parameters. In this example we will assume that only one hard disk will be installed on the system. It will be recognized by Gentoo as /dev/hda. We will start off by viewing the default disk parameters at boot:

Code:
# hdparm /dev/hda
/dev/hda:
multcount    = 16 (on)
IO_support   = 0 (default 16-bit)
unmaskirq    = 0 (off)
using_dma    = 1 (on)
keepsettings = 0 (off)
readonly     = 0 (off)
readahead    = 256 (on)
geometry     = 16383/255/63, sectors = 120034123776, start = 0

# hdparm -i /dev/hda

/dev/hda:

Model=WDC WD1200JB-00GVA0, FwRev=08.02D08, SerialNo=WD-WMAL92634373
Config={ HardSect NotMFM HdSw>15uSec SpinMotCtl Fixed DTR>5Mbs FmtGapReq}
RawCHS=16383/16/63, TrkSize=57600, SectSize=600, ECCbytes=74
BuffType=DualPortCache, BuffSize=8192kB, MaxMultSect=16, MultSect=16
CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=234441648
IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes:  pio0 pio1 pio2 pio3 pio4
DMA modes:  mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5
AdvancedPM=no, WriteCache=enabled
Drive conforms to: device does not report version:

* signifies the current active mode


4.2 We will be setting hdparm in this step you increase Harddrive Proformance. In this example we're using a WD1200JB. Its possible to get a little better performance out of this Harddrive by issuing a few parameters with hdparm. The following parameters work well with this drive. Here are a few guides on HDparm that might help you decide if those right for your drive:

http://gentoo-wiki.com/HOWTO_Use_hdparm_to_improve_IDE_device_performance
http://gentoo-wiki.com/MAN_hdparm

Code:
# hdparm -a256A1c1d1m16u1 /dev/hda

/dev/hda:
setting fs readahead to 256
setting 32-bit IO_support flag to 1
setting multcount to 16
setting unmaskirq to 1 (on)
setting using_dma to 1 (on)
setting drive read-lookahead to 1 (on)
multcount    = 16 (on)
IO_support   =  1 (32-bit)
unmaskirq    =  1 (on)
using_dma    =  1 (on)
readahead    = 256 (on)


4.3 Test the Hard Drive's Performance.

Typical results for an Athlon-xp::

Code:
# hdparm -tT /dev/hda
/dev/hda:
Timing cached reads:   2365 MB in  2.00 seconds =  1177.93 MB/sec
Timing buffered disk reads:   174 MB in   3.01 seconds =  57.46  MB/sec


4.4 Partition the Hard Drive

4.4.1 Display the Partition Information

Technically, the syntax of this command is used to change the partition information, but on an unpartitioned drive it will display the partition iinformation that is available:

Code:
# fdisk /dev/hda
The number of cylinders for this disk is set to 24321.
There is nothing wrong with that, but this is larger than 1024,
and in certain setups could cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
 (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/hda: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System

Command (m for help):


4.4.2 Plan Our Partition Scheme:

My recommendation is that you might want to plan out your partitions out well. I would suggest for debugging purposes to create a seperate /usr /opt /var and possibly a /home and i also like to create a /www partition which i then use to house all my web pages for my LAMP setup.

For Clarity Im going to just keep it simple, we're going to use the following partition scheme. I'll leave out the details, assuming that you know how to partition your hard disk.

Code:
Partition File System    ID  Size      Description
/dev/hda1 ReiserFS 3.6   83  100 MB    Boot partition
/dev/hda2 (swap)         82  512 MB    Swap partition
/dev/hda3 ReiserFS 3.6   83  Remainder Root Partition


4.5 Partition the Hard Disk

Code:
Disk /dev/hda: 200.0 GB, 200049647616 bytes
255 heads, 63 sectors/track, 24321 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

4.5.1 [color=indigo]Verify the partition configuration[/color]

Device     Boot   Start    End     Blocks    Id  System
/dev/hda1    *        1     13     104391    83  Linux
/dev/hda2            14     76     506047+   82  Linux swap
/dev/hda3            77  14593  116607802+   83  Linux


4.5.2 Exit Fdisk and Save the Partition Layout Press "w" to write the partition table to disk and exit fdisk.

Code:
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks


4.6 Time to create the filesystem. This example covers the installation of EXT3 on the /boot and Reiser FS 3.6 on the /root partition, and swap on the /swap partition.

4.6.1 Installing EXT3 on /dev/hda1 and Reiser FS on /dev/hda3:

Code:
# mke2fs -j /dev/hda1
# mkreiserfs /dev/hda3


You will need to answer "Y" when asked if you want to continue installing Reiser FS on the hard disk.

4.6.2 Install the swap partition on /dev/hda2:

Code:
# mkswap /dev/hda2 && swapon /dev/hda2


4.7 Mounting the File Systems. Mount the partitions using the "mount" command.

Code:
# mount /dev/hda3 /mnt/gentoo
# mkdir /mnt/gentoo/boot
# mount -t ext3 /dev/hda1 /mnt/gentoo/boot


5. Installing the Gentoo Installation Files.

5.1 Download the Hardened Stage 3 Tarball from the Internet.

Go to the gentoo mount point on your hard disk:

Code:

# cd /mnt/gentoo


We will need to download 2 files from the mirrors: The Stage 3 Hardened tarball and its checksum file. We will download the following two files using the "wget" command at the bash prompt. The entire command must be typed on one line:

Code:
wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/x86/hardened/stage3-x86-hardened-2.6-2005.1.tar.bz2
wget http://gentoo.osuosl.org/releases/x86/2005.1/stages/x86/hardened/stage3-x86-hardened-2.6-2005.1.tar.bz2.md5


If you need to check the list of Gentoo Mirrors,Click Here!

5.2 Checking the md5sum of the Tarballs. This step should never be skipped, Bad things can happen while downloading, a bit here a byte there! :)

Code:
# md5sum -c stage3-x86-hardened-2.6-2005.1.tar.bz2.md5
stage3-x86-hardened-2.6-2005.1.tar.bz2: OK




5.3 Extracing the Hardened Stage 3 Tarball using the following command.

Code:
# tar -xjpvf stage3-x86-hardened-2.6-2005.1.tar.bz2


Now is a good time to take a break this can take awhile depending on your system...

5.4 Installing Portage

5.4.1 Download a fresh portage snapshot using the wget command.

Code:
# wget http://gentoo.osuosl.org/snapshots/portage-latest.tar.bz2


5.4.2 Extract the Portage Snapshot

Code:
# tar -xjvf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr


This one might give you a few free moments to refill that coffee cup as this will again take awhile..

6. Installing the Gentoo Base System

6.1 Copy the DNS information in /etc/resolv.conf to ensure that networking works in our new Gentoo environment.

Code:
# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf


6.2 We will mount the /proc file system to allow our Gentoo installation to use kernel-provided information within the chrooted environment.

Code:
# mount -t proc none /mnt/gentoo/proc
# mount -o bind /dev /mnt/gentoo/dev
# cp /proc/mounts /mnt/gentoo/etc/mtab


6.3 Chroot into the New Environment

Code:
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile


6.4 Set the Date and Time

6.4.1 Set the Correct Date and Time.

The date command uses the syntax MMDDHHMMYYYY, where MM is the month, DD is the day, HHMM is the time, and YYYY is the year. As I type this, it is Tuesday December 05, 2005 at 19:30:

Code:
# date 120519302005
Tuesday Dec 05 91:30:00 Local time zone must be set--see zic manual page 2005


6.4.2 Set the Time Zone Symlink.

This example displays the available time zone selections for the Western Hemisphere:

Code:
# ls /usr/share/zoneinfo/America


I set the local time zone to Pacific Time because I live in Los Angeles. To do this, I first remove the symlink to the default time zone, and then replace it with a symlink to my local time zone:

Code:
# rm /etc/localtime
# ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
Tuesday Dec 05 19:32:50  2005


6.5 Setting up make.conf
In this example, we're compiling for a Athlon-xp-class box on the x86 architecture. Our CHOST setting will be i686-pc-linux-gnu. Since all of the 686-class boxes use the same CHOST, it really doesn't matter which tarball we start off with. More accurately, you can start off with the i686 tarball and properly complete the install for any of the 686-class boxes. The advantage for doing this is that the i686 tarball is not effected by the permissions problems that plague some of the other 686-class tarballs. All that you need to worry about is changing the architecture specification for your processor.

This Guide uses a minimalist setting of the USE variable. You are free to add additional USE flags as needed for your specific system requirements, but it is Hightly recommended that you do not add them to /etc/make.conf until after you have Finished emerge -e system. Adding USE-flags before then Can make Compiling the system a Challenge. Also as this being a HARDENED install there is no Default use-flags that are needed for this install and those Use-Flags are listed At the end of the install and should be added to Either to /etc/make.conf or ufed which we use in this guide. .

Code:
# nano -w /etc/make.conf

CHOST="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -pipe"
CXXFLAGS=${CFLAGS}
ACCEPT_KEYWORDS="x86"
PORTAGE_TMPDIR=/var/tmp
PORTDIR=/usr/portage
DISTDIR=${PORTDIR}/distfiles
PKGDIR=${PORTDIR}/packages
PORT_LOGDIR=/var/log/portage
PORTDIR_OVERLAY=/usr/local/portage
GENTOO_MIRRORS="<your mirror goes here> http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
RSYNC_RETRIES="3"
RSYNC_TIMEOUT=180
MAKEOPTS="-j2"
PORTAGE_NICENESS=3
AUTOCLEAN="yes"
FEATURES="distlocks sandbox userpriv usersandbox"
CCACHE_SIZE="2G"
USE="nptl"


6.6 Additional Portage Configuration

6.6.1 Create Portage Directories

The sample /etc/make.conf listed above specifies directories for Portage log files and overlays that are not included as part of a standard Gentoo installation. If you are going to use the logging and overlay functions listed in the sample make.conf file, then you will need to create two additional directories on your system.

Code:
# mkdir /var/log/portage
# mkdir /usr/local/portage


6.6.2 Package Keywords - Enabling GCC 3.4.5 in the Stable Branch

GCC 3.4.5 is part of the unstable or "testing" branch in Portage. If you will be using the "x86" stable branch of the software, then we need to configure Portage to enable the use of GCC 3.4.5 and some other toolkit components, even though they are currently classified in the testing branch.

To configure a stable branch system to utilize a testing branch ebuild, We need to let Portage know that we have approved this subset of the testing branch for use on our system. This is accomplished by specifying the name of the package and the applicable keyword in the /etc/portage/package.keywords file. We will enable support for four testing branch ebuilds in our system.

Code:
# nano -w /etc/portage/package.keywords
~sys-devel/gcc-3.4.5 -* ~x86
sys-devel/gcc-config ~x86
sys-libs/libstdc++-v3 ~x86
sys-libs/glibc ~x86
sys-devel/binutils ~x86
sys-libs/timezone-data ~x86


6.6.3 Update the Portage Tree

Code:
# emerge --sync


6.7 Activate User Locales

Gentoo's default behavior is to compile a full set of all of the available user locales. We will activate the userlocales local USE flag to limit the compilation of userlocales to those that we specify. Limiting the scope of userlocales will save us a tremendous amount of time while compiling glibc. (While we're editing this file, we'll also add "ithreads" as a package-specific USE flag for perl and libperl to allow interpreter level threading.

6.7.1 Activate the userlocales USE flag for glibc

Code:
# nano -w /etc/portage/package.use
sys-libs/glibc userlocales
sys-devel/libperl ithreads
dev-lang/perl ithreads


6.7.2 Specify the user locales to build.

Create the /etc/locales.build file with your favorite editor. I'm located in the USA, so I'll use the following values.

Code:
# nano -w /etc/locales.build
en_US/ISO-8859-1
en_US.UTF-8/UTF-8


7. Building the Toolkit

7.1 Building the Toolkit: GCC 3.3.5

To enable NPTL support we are required to use a 2.6 kernel and linux26-headers. Linux26-headers is now contained in the 2005.0 Stage 3 tarball

Code:
# env-update && source /etc/profile
# emerge gcc-config glibc binutils libstdc++-v3 gcc


This step will surely make you think WOW because this step takes awhile to complete. Good time for a nice afternoon nap. Time to compile that toolchain!.

7.2 Re-Building the Toolkit: GCC 3.4.5

After emerging a new version of GCC, we need to pause for a moment and think about what we've done. We've just used GCC 3.3.5 and a toolchain built with GCC 3.3.5 to compile GCC 3.4.5. Before we spend any more time building our Gentoo system we should rebuild the entire toolchain, re-compiling it so that we have GCC 3.4.5 that was built with GCC 3.4.5.

Before we do this we need to examine /etc/make.conf and make changes to the CFLAGS statements in order to take advantage of the new performance-enhancing features of GCC 3.4.5. After making necessary updates to /etc/make.conf we need to rebuild the toolkit using the new GCC 3.4.5 compiler. The result will be a 3.4.5 tooklit, compiled by a 3.4.5 toolkit that was built with a 3.3.5 toolkit.


7.2.1 Updating make.conf

Here are some settings for /etc/make.conf that may be worth considering. They include extreme levels of code optimization, and some very safe and stable performance-enhancing CFLAGS. Depending upon your individual hardware, you may have to simplify some of the CFLAGS settings.

These CFLAGS should be looked at as Examples Only.Please refer to
http://gentoo-wiki.com/CFLAGS
http://gcc.gnu.org/onlinedocs/gcc-3.3/gcc/Optimize-Options.htm
http://gentoo-wiki.com/Safe_Cflags

Code:
CFLAGS="-O2 -march=athlon-xp -fforce-addr -fomit-frame-pointer -ftracer -pipe"
CXXFLAGS="${CFLAGS} -fvisibility-inlines-hidden"


The Default may be a better approach for those who don't want to be on the bleeding edge or don't want to spend time troubleshooting.

7.2.2 Configuring the Default C Compiler

Although we have emerged GCC 3.4.5, it has not been automatically installed as our default compiler. If you have any doubts about this, take a quick peek at the output of "emerge info" or "gcc-config -l". Although GCC 3.4.5 has already been emerged, GCC 3.3.5 is still installed as out

Code:
# gcc-config -l
[1] i386-pc-linux-gnu-3.3.5-20050130
[2] i386-pc-linux-gnu-3.3.5-20050130-hardenednopie
[3] i386-pc-linux-gnu-3.3.5-20050130-hardenednopiessp
[4] i386-pc-linux-gnu-3.3.5-20050130-hardenednossp
[5] i386-pc-linux-gnu-3.3.5-20050130-vanilla
[6] i686-pc-linux-gnu-3.4.5 *
[7] i686-pc-linux-gnu-3.4.5-hardenednopie
[8] i686-pc-linux-gnu-3.4.5-hardenednopiessp
[9] i686-pc-linux-gnu-3.4.5-hardenednossp
[10] i686-pc-linux-gnu-3.4.5-vanilla


Change the default compiler to gcc 3.4.5 by issuing the following command. Warning make sure that the correct Compiler option is selected numbers may change.

Code:
# gcc-config 6


7.2.3 Updating the System Environment

An additional command updates our system environment:

Code:
# env-update && source /etc/profile


7.2.4 Rebuilding the System Toolkit

Now its time to rebuild the toolkit. We'll start off by recompiling glibc, binutils, gcc, and by updating portage. This will rebuild our GCC 3.4.5 compiling toolkit (which had previously been compiled with GCC 3.3.5) with the GCC 3.4.5 compiler, taking advantage of our new USE flags and CFLAGS compiler settings.

Code:
# emerge glibc binutils libstdc++-v3 gcc portage


Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 3.4.5 and our hardware-specific settings.

The result will be a 3.4.5 toolkit and an entire system that is built with a 3.4.5 toolkit..

Code:
# emerge -e system && emerge -e system


7.2.5 Prune the GCC Compiler

Now that GCC 3.4.5 has been installed as the default compiler and our system has been rebuilt, we can prune GCC 3.3.5 from our system by issuing the following commands. First, verify that GCC 3.4.5 has indeed been installed as the default compiler using the "l" parameter with gcc-config. (Just to avoid any confusion, the parameter used is a lower case "L", not the number "one".) Then, after confirming that GCC 3.4.5 has been installed as the default compiler, prune GCC 3.3.5 from your system.

Code:
# gcc-config -l
# emerge -P gcc


8.0 Building the World

8.1 Emerge Ccache (Optional)

Now that our toolkit has been built, we'll emerge the ccache program. Ccache is a compiler cache that will help to reduce compile times when previously compiled programs are being recompiled. It will not effect the time required to compile programs on the first pass, so this is an optional step. (Note: the ccache_size was set to 2G in the sample make.conf. If you have sufficient disk space, and you're planning on emerging a bloated window manager like Gnome or KDE (or if you are performing an emerge -e system or an emerge -e world), then you may want to Keep this setting at: ccache_size="2G".) If you dont need or want this you can #ccache_size="2G" or just reduce it to ccache_size="512M" in the /etc/make.conf.

Code:
# emerge ccache


8.2 Emerging Programs

Now its time to add a few useful packages to our world profile:

Code:
# emerge syslog-ng xinetd grub vixie-cron reiserfsprogs sysfsutils dhcpcd hotplug coldplug gentoolkit esearch udev hdparm

# emerge --nodeps acpid ntp

# emerge chpax paxctl paxtest ufed


8.3 Updating the Environment

Now we'll add these services to the default runlevel.

Code:
# rc-update add syslog-ng default
# rc-update add net.eth0 default
# rc-update add vixie-cron default
# rc-update add xinetd default
# rc-update add sshd default
# rc-update add hotplug default
# rc-update add coldplug default
# rc-update add acpid default
# rc-update add ntp-client default
# rc-update add chpax default


8.4 Configuring the NTP Client

In the previous steps we emerged a Network Time Protocol client to allow us to use NTP time servers to synchronize our system clock. In this step we'll configure the ntp-client to eliminate clock skew:

Code:
# ntpdate -b -u pool.ntp.org


9. Kernel

9.1 Downloading the Kernel

The decision to enable NPTL support requires that we use a 2.6 kernel. You are free to choose any flavor of 2.6 kernel that you like. In this example, we'll be using the HARDENED-Sources kernel. Note that a 2.4 kernel will not work properly with this Installation Guide.


9.3 Now we are going to emerge our kernel source....What ever kernel you decide to go with 2.6 stable just make sure to use HARDENED-SOURCES.....

Code:
# emerge hardened-sources


9.4 Building the Kernel Symlink

This is only needed if you already have a previous kernel installed and you want to point the symlink to the new kernel.

Code:
# rm /usr/src/linux
# cd /usr/src
# ln -s linux-2.6.12-gentoo-r6 linux



9.5 Configuration

9.5.1 Enable udev Support

Edit your /etc/conf.d/rc file so that it contains the following statements:

Code:
# nano -w /etc/conf.d/rc

RC_NET_STRICT_CHECKING="no"
RC_DEVICES="udev"
RC_DEVICE_TARBALL="no"


9.5.2 Configure Kernel Options

If you're following this Installation Guide, we're going to assume that you want the best performance from your system, and that you'll be using a custom-compiled kernel instead of genkernel. When configuring your kernel, be sure to include support for hotplug firmware loading. Also be sure to remove devfs filesystem support, as we are designing udev support into our system.

Configure the kernel:

Code:
# cd /usr/src/linux
# make menuconfig


9.5.3 Now you can configure your kernel like normal and add a few entries too it. To be able to select the various grsecurity/PaX kernel options, you must enable grsecurity/PaX in your kernel

Code:

1. Go into Security Options->>
  A. Go into Pax
           [ * ] Enable  various PaX features
      a. Go In  PaX Control    ----->
                   [   ] Support soft mode
                   [ * ]  Use legacy ELF header marking
                   [ * ]  Use ELF program header marking
                    MAC  system integration  (none) ----
      b. Go in  Non-exacutable pages  ----->
                   [ * ] Enforce non-executable pages
                   [ * ]      Paging based non-executable pages
                   [ * ]      Segmentation based non-execuatable pages
                    Default non-executable page method (SEGMEXEC)
                   [   ] Emulate trampolines
                   [ * ] Restrict mprotect ()
                   [   ] Disallow ELF text relocations
                   [   ] Enforce non-executable kernel pages
             c. Go in Address Space Layout Randomization  ----->
                   [ * ] Address Space Layout Randomization
                   [ * ] Randomize kernel stack base
                   [ * ] Randomize user stack base                             
                   [ * ] Randomize mmap() base
                    ---  Disable the vsyscall page
2.Go into Grsecurity ------>
   A. [ * ] Grsecurity
      a.Security Level (Custom)  ----->
      b. Go in  Address Space Protection  ----->
                   [ * ] Deny writing to /dev/kmem, /dev/mem, and /dev/port
                   [   ] Disable privileged I/O
                   [ * ] Remove addresses from /proc/<pid>/[smaps|maps|stat]
                   [   ] Deter exploit bruteforcing
                   [   ] Hide kernel symbols
      c. Go in Role Based Access Control Options  ----->
                   [ * ] Hide kernel processes
         (3)  Maximum tries before password lockout
         (30) Time to wait after max password tries, in seconds
      d. Go in Filesystem Protections  ----->
                   [ * ] Proc restrictions                                     
                   [   ]   Restrict /proc to user only
                   [ * ]  Allow special group                                 
                         (1001) GID for special group                             
                   [ * ] Additional restrictions                                 
                   [ * ] Linking restrictions                                     
                   [ * ] FIFO restrictions                               
                   [ * ] Chroot jail restrictions               
                   [ * ]   Deny mounts
                   [ * ]   Deny double-chroots
                   [ * ]   Deny pivot_root in chroot
                   [ * ]   Enforce chdir("/") on all chroots
                   [ * ]   Deny (f)chmod +s
                   [ * ]   Deny fchdir out of chroot
                   [ * ]   Deny mknod
                   [ * ]   Deny shmat() out of chroot
                   [ * ]   Deny access to abstract AF_UNIX sockets out of chroot
                   [ * ]   Protect outside processes
                   [ * ]   Restrict priority changes
                   [ * ]   Deny sysctl writes
                   [ * ]   Capability restrictions
      e. Go in Kernel Auditing  ----->
                   [   ] Single group for auditing
                   [   ] Exec logging
                   [ * ] Resource logging
                   [   ] Log execs within chroot
                   [   ] Chdir logging
                   [ * ] (Un)Mount logging
                   [   ] IPC logging
                   [ * ] Signal logging
                   [ * ] Fork failure logging
                   [ * ] Time change logging
                   [   ] /proc/<pid>/ipaddr support
                   [   ] ELF text relocations logging (READ HELP)
      f. Go in Executable Protections  ----->
                   [ * ] Enforce RLIMIT_NPROC on execs
                   [   ] Destroy unused shared memory
                   [ * ] Dmesg(8) restriction
                   [ * ] Randomized PIDs
                   [   ] Trusted Path Execution (TPE)
      g. Go in Network Protections  ----->
                   [ * ] Larger entropy pools
                   [ * ]  Randomized TCP source ports
                   [   ]  Socket restrictions
      h. Sysctl support  ----->
                i. Go in Logging Options  ----->
                   (10) Seconds in between log messages (minimum)
                   (4) Number of messages in a burst (maximum)



Those are all the Selection for Grsecurity & PaX that I have selected in my kernel...

9.5.4 Compiling the Kernel

To compile your kernel and install the kernel and selected modules, issue the following command. I find that this one works a bit better than some of the other one-liner kernel compilation commands. If you should run into a problem where kernel compilation fails, its easy to determine where the problem was. In addition, this command will also install the kernel for you:

Code:
# make && make modules && make modules_install && make install


10. Configuring the System

10.1 Configure Network Adapters

Configure your network adapters as recommended in the Gentoo Installation Handbook. In our case, we'll use DHCP:

Code:
# nano -w /etc/conf.d/net
iface_eth0="dhcp"
dhcpcd_eth0="-t 10"


10.2 Set Hostnames and Domainnames

The following hostname and domainname locations referenced in the Gentoo Installation Handbook and some of the other HowTo appear to have been deprecated. The first example in each of the following two sections uses the old configuration method, which has been deprecated but this is not yet reflected in many of the installation guides. The second option in each of the following two examples is more current:

10.2.1 Set Your Hostname

The following examples provide instruction for setting the hostname on your Gentoo box. We'll use the "gentooviller" as the hostname in this example.

Code:
# nano -w /etc/conf.d/hostname
HOSTNAME="gentooville"


10.2.2 Set Your Domainname

Code:
# nano -w /etc/conf.d/domainname
OVERRIDE=1
DNSDOMAIN="mydomain.com"
NISDOMAIN="nis.mydomain.com"



10.2.3 Update /etc/hosts

If nameservers on your network handle all name resolution, then you can skip this step.

If your PC is a standalone system, or if your PC has a static IP address and you don't have DNS entries for your machine in a nameserver somwehere on your network, then you should specify the following information in the /etc/hosts file.


Code:
# nano -w /etc/hosts
127.0.0.1        localhost.localdomain       localhost
192.168.0.5      gentooville.mydomain.com     gentooville


10.2.4 Add domainname to the Default Runlevel

Code:
# rc-update add domainname default


10.4 Grub Bootloader

10.4.1 Grub.conf

To boot our installation of Gentoo Linux we'll need to configure a boot menu for the Grub Bootloader. Use your favorite text editor to create the /boot/grub/grub.conf file. In this case we'll use nano:

If you cant remember what kernel image you have this is what i do alot since i tend to forget when i get to grub.conf.

Code:
# ls /boot


And i look for this: vmlinuz-2.6.14-hardened-r1 or similar this is what you would add to your Grub.conf

Code:
System.map                     boot    config-2.6.14-hardened-r1  lost+found  vmlinuz-2.6.14-hardened-r1
System.map-2.6.14-hardened-r1  config  grub                       vmlinuz


Code:
# cd /boot/grub
# nano -w grub.conf


Code:
# Which listing to boot as default. 0 is the first, 1 the second etc.
default 0
# How many seconds to wait before the default listing is booted.
timeout 30
# Nice, fat splash-image to spice things up :)
# Comment out if you don't have a graphics card installed

splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title=Gentoo Linux 2.6.14-hardened-r1
# Partition where the kernel image (or operating system) is located
root (hd0,0)
kernel /boot/vmlinuz-2.6.14-hardened-r1 root=/dev/hda3

# The next four lines are only if you dualboot with a Windows system.
# In this case, Windows is hosted on /dev/hda6.
title=Windows XP
rootnoverify (hd0,5)
makeactive
chainloader +1


10.4.2 Installing Grub onto the Hard Disk

Start Grub from the command prompt and use the following commands to embed grub into the hard disk. Remember, when counting hard disks we like to start at 1, but Grub likes to start at 0, so /dev/hda1 corresponds to hard disk 0, partition 0 in Grub.


Code:
# grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit


10.5 Filesystem - Configuring fstab


This is a sample /etc/fstab file that reflects the disk partition scheme used earlier in this Installation Guide. Make changes as appropriate if your partition scheme is different.

Code:
# nano -w /etc/fstab


Code:
# <fs>               <mountpoint>  <type>       <opts>               <dump/pass>
/dev/hda1            /boot         reiserfs     noauto,notail        1 2
/dev/hda3            /             reiserfs     notail               0 1
/dev/hda2            none          swap         sw                   0 0
/dev/cdroms/cdrom0   /mnt/cdrom    iso9660      user,noauto,ro,exec  0 0
/dev/fd0             /mnt/floppy   auto         noauto,users         0 0

# NOTE: The next line is critical for boot!
none                 /proc         proc         defaults             0 0

# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for
# POSIX shared memory (shm_open, shm_unlink).
# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will

# use almost no memory if not populated with files)
# Adding the following line to /etc/fstab should take care of this:

none                 /dev/shm      tmpfs        nodev,nosuid         0 0


10.6 Setting HD Paramaters

Back in Section 4 we developed optimized operating parameters for our hard disk. Now that we're in the chrooted environment of our newly designed Gentoo system, we need to make these configuration changes permanent. To do this, we'll write the HD parameters to the /etc/conf.d/hdparm file:

Code:
# nano -w /etc/conf.d/hdparm

disc0_args="-a256A1c1d1m16u1"
cdrom0_args="-d1c1u1"


After editing the contents of /etc/conf.d/hdparm type the following command to add hdparm to the boot runlevel.

Code:
# rc-update add hdparm boot


10.7 Set-Up User Accounts


We must change the password of the root user in our newly installed system. Then we will add non-root users to the system. .

First, change the root password:

Code:
# passwd root
New password: (Enter your new password)
Re-enter password: (Re-enter your password)


Now add users who will be allowed to "su" their way to temporary root status. These users must be added to the "wheel" user group:

The groups the user is member of define what activities the user can perform. The following table lists a number of important groups you might wish to use:

Code:

Group Description
audio = be able to access the audio devices
cdrom = be able to directly access optical devices
floppy = be able to directly access floppy devices
games = be able to play games
portage = be able to use emerge --pretend as a normal user
usb = be able to access USB devices
video = be able to access video capturing hardware and doing hardware acceleration
wheel = be able to use su


For instance, to create a user called gentooian who is member of the wheel, users and audio groups, log in as root first (only root can create users) and run useradd:

Code:
# useradd -m -G users,wheel,audio,cdrom,floppy,games,portage,usb,video -s /bin/bash gentooian
# passwd gentooian
Password: (Enter the password for john)
Re-enter password: (Re-enter the password to verify)


Code:
# ufed


Nice GUI pops up and your off in running. You will notice that with HARDENED profile there are some selection made for you. DO NOT REMOVE these. As far as anything else you can enter the flags you normally would..There are a few that seem to be needed for xorg or your fonts will look alittle funny and it might take you an hour or two rebuilding xorg if not used, and those are:

This is where we need to define the Default Gentoo Use-Flags... This needs to be done due to that in the Hardened Stage these are not activated by default.

Code:
"alsa apm arts avi bitmap-fonts cups eds emboss encode fortran foomaticdb gdbm gif gnome gpm gstreamer gtk gtk2 imlib jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ogg oggvorbis opengl oss pdflib png qt quicktime sdl spell truetype truetype-fonts type1-fonts vorbis X xml2 xmms xv"


Then after all that is said and done....I move on to finishing my install with

Code:
# emerge kdebase mozilla-firefox gyach


After those emerge then you can setup xorg

Code:
# xorgconfig


Of course some might prefer to boot into their installation before emerging fun stuff like that: Either way after the emerge you would.

10.10 Exiting Chroot and Unmounting Partitions

We will now exit the chrooted environment and unmount all of the mounted partitions.

Code:

# exit
# cd ~/
# umount /mnt/gentoo/proc /mnt/gentoo/boot /mnt/gentoo

# swapoff /dev/hda2



11. REBOOT!

And now, the moment you've been waiting for!

Code:
# shutdown -r now


Bob .P and his Jackass team are the brains behind this guide they deviced all idea's. I'm sorry i copy and pasted the contents of your Bob P Jackass Grsecurity & Pax guide O so sorry for not giving your props. May the world donate as much money as they can to support Bob P and this installation method that he pawned from others. Give his props for being the first to copyright first or this guide might be writen by the actual original author the one that gets no credit on his guides. So heres your props Bob i said i wouldnt but then i did. Dont worry bob either way we'll still be3 forgotten in the circle of life. Its like the Doors said "No one will remember your name" But great job Bob i dont think the world could possibly revolve with out you writing your glorious GUIDES

Congradulations! You have completed the installation. We are in the process of creating other guides that will go along with this Setup That will increase the security Level of this install. Links to these guide will be added as they are completed...
JADED Guides
Jaded Guide Ver 1.0

For further Information on Hardened Grsecurity or PaX, heres a few links that you might find greatly helpful.

https://forums.gentoo.org/viewtopic-t-345229.html
http://www.gentoo.org/doc/en/handbook/index.xml
http://www.gentoo.org/proj/en/hardened/
http://www.grsecurity.net/
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 11:01 am; edited 9 times in total
Back to top
View user's profile Send private message
Dr.Dran
l33t
l33t


Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy

PostPosted: Sat Dec 31, 2005 10:42 am    Post subject: Reply with quote

Excuse me but this is a buggy settings:

Code:
USE="nptl nptlonly"


Because the flag nptlonly include the flag nptL and compile the glibc with the nativ posix threading library only :wink:

Byez :D
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group]
Back to top
View user's profile Send private message
gentoology
n00b
n00b


Joined: 21 Dec 2005
Posts: 5

PostPosted: Sat Dec 31, 2005 7:17 pm    Post subject: Reply with quote

This is not a bug, we wanted it this way because we want our entire system compiled for nptl only and not both nptl and linux threads. we understand that there might be some applications which don't work but we feel they are by far the minority and haven't run into any serious programs that caused problems. The tradeoff for compiling glibc once for nptl on nptlonly is worth it for us instead of having to compile it twice for linux threads and nptl. If you know any *major* conflicts with this then please post them, thank you for responding by the way.
Back to top
View user's profile Send private message
scrooge
n00b
n00b


Joined: 11 Jun 2004
Posts: 18

PostPosted: Sat Dec 31, 2005 8:29 pm    Post subject: Reply with quote

I just finished installing and it worked without a problem. 8)

I'm not sure if it really matters, but I had to set cchache size by using command "ccache -M 512M" after emerging it. It was set to 512M in make.conf but "ccache -l" showed it as 900+ megs.

Anyways, great guide. :)
Back to top
View user's profile Send private message
Dr.Dran
l33t
l33t


Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy

PostPosted: Sat Dec 31, 2005 9:50 pm    Post subject: Reply with quote

Ok, my post is only a suggestion, but i suggest to read this thread is interesting:
https://forums.gentoo.org/viewtopic-t-318191-postdays-0-postorder-asc-start-25.html

Bye and good year!!! :D
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group]
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Sun Jan 01, 2006 5:09 am    Post subject: Bob P Must be the smartest Man Alive Reply with quote

DranXXX wrote:
Ok, my post is only a suggestion, but i suggest to read this thread is interesting:
https://forums.gentoo.org/viewtopic-t-318191-postdays-0-postorder-asc-start-25.html

Bye and good year!!! :D



Thanks for the Info as usually DranXXX, I think what i am going to do it make nptlonly as "optional" in the guide. However in your posts you mention that Sun JDK is one of the packages that wont compile with nptlonly. So i tested that theory and here is what i found.
sun jdk 1.5.0.6 worked fine.
sun jre 1.5.0.6 also worked fine.

So im not sure it was to do with nptlonly it could have been something maybe with your CFLAGS or LDflags...

also if you are going with GCC4.1 and using glibc2.3.6 you might want to add -friendly -injection to your CXXFlags.

Also going back to emerge -e twice as it seems build a more stable system.

Happy New Year to you as well
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:51 am; edited 1 time in total
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Sun Jan 01, 2006 10:55 am    Post subject: Reply with quote

oooh.

i just recently setup a gentoo router box using hardened/pax/grsec/etc. i may have some substantial input in the near future, but for the moment just a couple of comments.

1. Why GCC 3.4.5? usually something is hard masked for a good reason.

2:

dbasetrinity wrote:
Also going back to emerge -e twice as it seems build a more stable system.


actually, i recommend the emwrap script for this purpose. it'll rebuild your toolchain for you in the proper order, so you don't spend a huge amount of time remerging your whole world. (you should still emerge -e world once at least, but you still get time savings not to mention good stability and simplicity.)
_________________
Sheepdog
Why Risk It? | Samba Howto
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Sun Jan 01, 2006 10:56 pm    Post subject: Bob P Created Linux Reply with quote

Sheepdogj15 wrote:
oooh.

i just recently setup a gentoo router box using hardened/pax/grsec/etc. i may have some substantial input in the near future, but for the moment just a couple of comments.

1. Why GCC 3.4.5? usually something is hard masked for a good reason.

2:

dbasetrinity wrote:
Also going back to emerge -e twice as it seems build a more stable system.


actually, i recommend the emwrap script for this purpose. it'll rebuild your toolchain for you in the proper order, so you don't spend a huge amount of time remerging your whole world. (you should still emerge -e world once at least, but you still get time savings not to mention good stability and simplicity.)


Why GCC3.4.5 well mostly because for being hard masked it seems to be as stable as GCC3.4.4. I've had no issues what so ever with this compiler. Now if we were talking about GCC4.0.2 or GCC4.1.0_beta then there would be a MASSIVE Warning on top Saying good luck you brave souls. lol But in my opion GCC3.4.5 is a pretty safe option to take.

And we will be looking forward to getting input you can offer up on the ART of Hardened GRsecurity & PaX..... :D

Also that is a very nice script..We are currently working on a script for this install that should cut down the amount of step that need to be keyed in.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:50 am; edited 1 time in total
Back to top
View user's profile Send private message
Dr.Dran
l33t
l33t


Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy

PostPosted: Mon Jan 02, 2006 8:46 am    Post subject: Reply with quote

Ehm... the gcc 3.4.5 is build for the G4/G5 processors, there isn't difference for the x86/ia64 and amd64 processors with the 3.4.4-r1 :wink:

Best regards :D
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group]
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Mon Jan 02, 2006 11:57 am    Post subject: Bob P knows all Reply with quote

DranXXX wrote:
Ehm... the gcc 3.4.5 is build for the G4/G5 processors, there isn't difference for the x86/ia64 and amd64 processors with the 3.4.4-r1 :wink:

Best regards :D



DranXXX, could you share were you found this information. Ive been searching but im not finding this information.

http://gcc.gnu.org/gcc-3.4/changes.html#3.4.5

As i am look at this log and all its bug fixes if you read into them there are alot of bug fixes in this version that have been issues as long as the GCC 3.4.0. So as far as your statement the would be incorrect i do believe. As far as this update being Minor that would possible considered true since there isnt much of a diffrence that i was able to find other then the bug fixes so sure. But never the less i still remain to believe GCC3.4.5 is surely a solid Choice for something is Hard masked of course. Hence the reason i Stated a EXPERIMENTAL to the Intro...

http://blog.gmane.org/gmane.comp.gcc.announce

Gabriel Dos Reis | 7 Dec 21:25
GCC 3.4.5 has been released
From: Gabriel Dos Reis <gdr <at> integrable-solutions.net>
Subject: GCC 3.4.5 has been released
Newsgroups: gmane.comp.gcc.announce
Date: 2005-12-07 20:25:09 GMT

I'm pleased to announce that GCC 3.4.5 has been released.

This version is a minor release, from the 3.4.x series, fixing
regressions with respect to previous versions of GCC. It can be
downloaded from the FTP servers listed here

http://www.gnu.org/order/ftp.html

A list of known fixed bugs is available from here

http://gcc.gnu.org/gcc-3.4/changes.html

http://tacojuice.org/plnews/Languages/MultipleLanguages/

GCC 3.4.5 Released
Thursday (Dec 08, 2005) 09:50 | /Languages/MultipleLanguages

The GNU Compiler Collection 3.4.5 has been released. It is a portable compiler suite, including support for C, C++, Objective-C, Fortran, Java, and Ada.

This release fixes various internal compiler errors, wrong-code bugs, and other problems.

Well if you could post your source that would be great seeing as i cant seem to find it...

Thanks for posting...... :D Also if i am incorrect on this post in anyway please feel free to correct me as i am always a student.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:49 am; edited 1 time in total
Back to top
View user's profile Send private message
Dr.Dran
l33t
l33t


Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy

PostPosted: Mon Jan 02, 2006 4:32 pm    Post subject: Reply with quote

Yeah cool! My source in the net is the same as you had find, but in partucula if you see the changes you can see that all the major bugs aren't very significant for an hardened installation, but I talk with my friend that study Information Tecnology at the university and he's a expert in computer architecture that assure me that the real gap was from the 3.4 and the 4.x version of the gcc; but on the 3.4.5 is a version that in particula resolve some bad bugs on the G4/G5 C/C++ source.

That's all.

For me, I suggest in particula to utilize the stable versione oF GCC because is hard tested and safe with all packages in gentoo.
But by the way I think that make experiment and hard tuning on some profile is positive and improve knowledge. I suggest to see the Jackass / RockHopper project that rulez for extreme experiments :D
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group]
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Mon Jan 02, 2006 5:46 pm    Post subject: Bob P Must be a god please Donate to him Reply with quote

Yea i like the stage 1/3 which this is for the most part based off least the toolchains part of it..I expecially like the Jackass cd thats coming out built apon GCC3.4.5 lol.. RockHopper project Very extreme and well thought out.

As far as Gcc4.1.0_beta im going to wait another month then see if its improved anymore then ill give it anymore time.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:49 am; edited 1 time in total
Back to top
View user's profile Send private message
Dr.Dran
l33t
l33t


Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy

PostPosted: Mon Jan 02, 2006 6:43 pm    Post subject: Reply with quote

Cool! If you intend to utilize gcc 4.x on hardened profile I would like to be informed, becouse I'm interested too. :D

Bye thw way have a cool hack day :D
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group]
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Tue Jan 03, 2006 2:18 am    Post subject: Reply with quote

ahhh, comprende
_________________
Sheepdog
Why Risk It? | Samba Howto
Back to top
View user's profile Send private message
webmaxx
n00b
n00b


Joined: 30 Apr 2005
Posts: 33
Location: Germany

PostPosted: Wed Jan 04, 2006 12:46 pm    Post subject: Re: Jaded stage3 hardened Guide With Grsecurity & PaX ve Reply with quote

dbasetrinity wrote:


Upon completion of the rebuild of the compiling toolkit, we will recompile the entire system to assure that our entire toolkit has been compiled using GCC 3.4.5 and our hardware-specific settings.

The result will be a 3.4.5 toolkit and an entire system that is built with a 3.4.5 toolkit..

Code:
# emerge -e system && emerge -e system




Are you sure emerging -e system _twice_ is right?
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Thu Jan 05, 2006 1:44 am    Post subject: Bob P's Grsecurity & Pax Guide Reply with quote

Yep i am sure and i wouldnt advise anything but, It makes for a far more stable system.

I would say in running just emerge -e system once your going to find alot more issues with broken packages.

There for thats why i went back to twice after some testing, I found that the little extra wait is worth it in the long run.
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:48 am; edited 1 time in total
Back to top
View user's profile Send private message
webmaxx
n00b
n00b


Joined: 30 Apr 2005
Posts: 33
Location: Germany

PostPosted: Thu Jan 05, 2006 8:44 am    Post subject: Reply with quote

Ok, thanks for your investigation :) Will try it, once my hardware is repaired ... :cry:
Back to top
View user's profile Send private message
webmaxx
n00b
n00b


Joined: 30 Apr 2005
Posts: 33
Location: Germany

PostPosted: Sat Jan 07, 2006 3:36 pm    Post subject: Reply with quote

Got all installed. My new Gentoo server is up'n running now :D

One thing to notice:

I only could grub be installed by inserting

Code:
sys-boot/grub -netboot
in /etc/portage/package.use

Otherwise it failed to compile. There are already some topics about that issue arround here.
Back to top
View user's profile Send private message
gentoology
n00b
n00b


Joined: 21 Dec 2005
Posts: 5

PostPosted: Sun Jan 08, 2006 2:56 am    Post subject: Reply with quote

Yes that does seem to be a case, but this installation by default does not include netboot as a USE flag which is probably why we haven't run into this problem when we have done testing. This doesn't seem to be a hardened related issue but this still will help a lot of people out in the future. Thank you for providing your input.

This also seems to be similar to this bug filed already.
Back to top
View user's profile Send private message
Odoital
n00b
n00b


Joined: 27 Jan 2006
Posts: 2

PostPosted: Fri Jan 27, 2006 10:58 pm    Post subject: Reply with quote

Don't forget to re-emerge anything that has multiple version.

For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Sun Jan 29, 2006 12:34 am    Post subject: Bob .P is the only who could have did this Reply with quote

Odoital wrote:
Don't forget to re-emerge anything that has multiple version.

For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.



What does that have to do with this guide?
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:47 am; edited 1 time in total
Back to top
View user's profile Send private message
Odoital
n00b
n00b


Joined: 27 Jan 2006
Posts: 2

PostPosted: Fri Feb 10, 2006 4:33 am    Post subject: Reply with quote

dbasetrinity wrote:
Odoital wrote:
Don't forget to re-emerge anything that has multiple version.

For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.



What does that have to do with this guide?


Because your guide assumes the lastest portage tree, which defaults to python-2.4.
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Fri Feb 10, 2006 9:24 pm    Post subject: Bob .P's Guide to Linux Commands Reply with quote

Odoital wrote:
dbasetrinity wrote:
Odoital wrote:
Don't forget to re-emerge anything that has multiple version.

For example, python-2.4 is default, but apps like zope depend on python-2.3 and cause a "i386-pclinux-gnu-gcc" error if not properly re-emerged to support "i686-pclinux-gnu-gcc" in this guide's case.



What does that have to do with this guide?


Because your guide assumes the lastest portage tree, which defaults to python-2.4.


My Guide assume that your using what ever portage that is stable. Since if you look over the guide it is based on an x86 install.

Second this would be an issue with an application you so choose to use, and is not listed in the contects of this guide.

Third you refernce that this is to avoid a i386-pclinux-gnu-gcc error explain to me why you would recieve this error? if following my guide. since its based on a i686 install.

Any installation you so choice to take you are still going to have the same issue as what you stated all because you choose zope which seems to need the older version of python.

I just think A more proper location for you post would be maybe under unsupported applications maybe i dont know however i do not believe its relevent here.

****THIS IS NOT THE ZOPE GUIDE****
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0


Last edited by dbasetrinity on Wed Feb 15, 2006 10:47 am; edited 1 time in total
Back to top
View user's profile Send private message
Bob P
Advocate
Advocate


Joined: 20 Oct 2004
Posts: 3355
Location: Jackass! Development Labs

PostPosted: Tue Feb 14, 2006 1:24 pm    Post subject: Reply with quote

nice Guide. insofar as many of the text paragraphs and code sections are copied verbatim without any changes from a copyrighted work (you've even copied the format of the Guide), i would like to request that you consider honoring the terms of the Creative Commons Attribution-ShareAlike License version 2.0 and give appropriate attribution to the author.
_________________
.
Stage 1/3 | Jackass! | Rockhopper! | Thanks | Google Sucks
Back to top
View user's profile Send private message
dbasetrinity
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 167

PostPosted: Wed Feb 15, 2006 10:26 am    Post subject: This is Bob .P Guide hes the brains behind gentoo Reply with quote

Glad yea like it bob

Tell you what if you want to copyright this guide you go right ahead because i havent. What are you trying to claim as your's a few commands a few words in a guide that are similar to your own.

Personally i dont think you can take credit for the 1/3 guide yourself since you used someone elses install method and called it your own. But o well

are you sure your pro open source bob it just seems as though its all about the money with you that's all i really hear is you complaining about what you didnt recieve. How google has screwed you over and no one donates to your jackass or hopper projects. I wrote this guide to give others a good process of installing with Hardened system and grsecurity and Pax. Thats all nothing more nothing less. What others do with it is of little concern to me.

But if you want you props look on the first guide it does mention your guide. But if you want to look through all the so said code snippits in this guide they really refer to your guide since all the code snippits say athon-xp rather then i686 or whatever yours did.

I know this probably seems as though im angry about your reply. But honestly ive expected it to come for some time. Anyways I'm not going to add your name to this guide. However if you want to say this guide it yours go right ahead. Its a free country.

Bob is the word "emerge" copyrighted i would like to use it in another guide here soon. Ok let me know...Bye Bye for now Bobby
_________________
Jaded Team Leader
Dbasetrinity
Mem Id #1002
Jaded Guide V2.0
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum