| View previous topic :: View next topic |
| Author |
Message |
Uzytkownik
Guru
Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US
|
 Posted: Wed Jan 11, 2017 7:25 pm Post subject: Hardened sources - does it make sense without PaX |
 |
|
I tried to run hardened Gentoo but I discovered that PaX is breaking too much. Are there any benefits to hardened sources w/out PaX?
_________________
I've probably left my head... somwhere. Please wait untill I find it. |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Wed Jan 11, 2017 11:44 pm Post subject: |
|
|
Security is always a tradeoff for convenience.
If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
To quantify the security loss, it all depends on the person hacking your machine...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Uzytkownik
Guru
Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US
|
| Posted: Thu Jan 12, 2017 12:59 am Post subject: |
|
|
| eccerr0r wrote: | Security is always a tradeoff for convenience.
If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
To quantify the security loss, it all depends on the person hacking your machine... |
Yeah sure. My question was rather if hardened sources - Pax == vanilla sources or there is some hardening even without PaX/Grsecurity enabled.
_________________
I've probably left my head... somwhere. Please wait untill I find it. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Thu Jan 12, 2017 1:11 am Post subject: |
|
|
A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...
I view it as all or nothing.
Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
Uzytkownik
Guru
Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US
|
| Posted: Thu Jan 12, 2017 1:19 am Post subject: |
|
|
| eccerr0r wrote: | A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...
I view it as all or nothing. |
I think there are at least some shadows of grey between running military grade SELinux installation and ignoring error about self-signed certificate when you enter bank website... Security is obviously not all-or-nothing but need to be balanced against usability.
| eccerr0r wrote: | | Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out. |
I think you are answering not the question I am asking I am afraid. In my threat model I deem hardening as nice to have but not strictly necessary. I would like to just know if hardened sources contain any improvement other then PaX itself.
_________________
I've probably left my head... somwhere. Please wait untill I find it. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21624
|
| Posted: Thu Jan 12, 2017 2:30 am Post subject: |
|
|
| That depends on exactly what you disable at build time and/or runtime, but generally, yes, grsecurity includes a large number of security-related changes, not all of which require PaX enabled in order for them to function. Your other option is to describe some of the breaks that PaX is causing. Despite not being part of the upstream kernel, PaX is fairly widely used, so it is likely that other users have encountered any problems it causes and may be able to help you. |
|
| Back to top |
|
|
|
Kernel & Hardware
