Hardened sources - does it make sense without PaX
Message
- Uzytkownik
- Guru
- Posts: 399
- Joined: Sun Oct 31, 2004 8:08 pm
- Location: Bay Area, US
- Contact:
Hardened sources - does it make sense without PaX
I tried to run hardened Gentoo but I discovered that PaX is breaking too much. Are there any benefits to hardened sources w/out PaX?
I've probably left my head... somwhere. Please wait untill I find it.
- eccerr0r
- Watchman
- Posts: 10239
- Joined: Thu Jul 01, 2004 6:51 pm
- Location: almost Mile High in the USA
- Contact:
Security is always a tradeoff for convenience.
If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
To quantify the security loss, it all depends on the person hacking your machine...
If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
To quantify the security loss, it all depends on the person hacking your machine...
Intel Core i7 2700K/Radeon Firepro W2100/24GB DDR3/800GB SSD
What am I supposed watching?
What am I supposed watching?
- Uzytkownik
- Guru
- Posts: 399
- Joined: Sun Oct 31, 2004 8:08 pm
- Location: Bay Area, US
- Contact:
Yeah sure. My question was rather if hardened sources - Pax == vanilla sources or there is some hardening even without PaX/Grsecurity enabled.eccerr0r wrote:Security is always a tradeoff for convenience.
If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
To quantify the security loss, it all depends on the person hacking your machine...
I've probably left my head... somwhere. Please wait untill I find it.
- eccerr0r
- Watchman
- Posts: 10239
- Joined: Thu Jul 01, 2004 6:51 pm
- Location: almost Mile High in the USA
- Contact:
A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...
I view it as all or nothing.
Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.
I view it as all or nothing.
Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.
Intel Core i7 2700K/Radeon Firepro W2100/24GB DDR3/800GB SSD
What am I supposed watching?
What am I supposed watching?
- Uzytkownik
- Guru
- Posts: 399
- Joined: Sun Oct 31, 2004 8:08 pm
- Location: Bay Area, US
- Contact:
I think there are at least some shadows of grey between running military grade SELinux installation and ignoring error about self-signed certificate when you enter bank website... Security is obviously not all-or-nothing but need to be balanced against usability.eccerr0r wrote:A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...
I view it as all or nothing.
I think you are answering not the question I am asking I am afraid. In my threat model I deem hardening as nice to have but not strictly necessary. I would like to just know if hardened sources contain any improvement other then PaX itself.eccerr0r wrote:Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.
I've probably left my head... somwhere. Please wait untill I find it.
That depends on exactly what you disable at build time and/or runtime, but generally, yes, grsecurity includes a large number of security-related changes, not all of which require PaX enabled in order for them to function. Your other option is to describe some of the breaks that PaX is causing. Despite not being part of the upstream kernel, PaX is fairly widely used, so it is likely that other users have encountered any problems it causes and may be able to help you.