On Thu, Apr 19, 2012 at 2:47 PM, Anthony G. Basile <bluen...@gentoo.org> wrote: > On 04/19/2012 08:26 AM, Mitch Harder wrote: >> >> On Thu, Apr 19, 2012 at 6:38 AM, Fabio Erculiani<lx...@sabayon.org> >> wrote: >>> >>> Hardened GCC (4.6 for now, 4.5 and 4.4 are coming) and Glibc are now >>> in sabayon-limbo. >>> >>> # readelf -h /usr/lib/libutil.so | grep Type >>> Type: DYN (Shared object file) >>> >>> Now the question is: what pkgs should be compiled with hardened flags? >>> > > I'm confused by your readelf. All shared objects, hardened or not, are > marked ET_DYN in their elf header. Look at > > http://www.trapkit.de/tools/checksec.html > > for how to check what's hardened and what's not.
Yes, you're right. Forgive me. I guess Mitch was talking about ELF executables and not shared libraries. > > > > In order of priority: > > 1) Harden the core libraries. The ones that are provided by base. > > 2) Harden the important binaries, again the ones provided by base. > > 3) Harden the setuids, which are probably all part of 2. > > If you do 3 without doing 1, you will have issues. > > > -- > Anthony G. Basile, Ph.D. > Gentoo Linux Developer [Hardened] > E-Mail : bluen...@gentoo.org > GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 > GnuPG ID : D0455535 > > -- Fabio Erculiani