[arch-general] Yet another step toward Arch evil plan
Hello archers, I just want to let you know that the french hosting service OVH now provide Arch among many others distro. Reference : http://www.ovh.com/fr/items/distributions/archlinux.xml?sort=gnu Here is a (attempt at) translation : « Arch Linux distribution, lightweight and fast, which purpose is to keep it simple. No service (except SSH) is provided in order to allow everyone to customize his server to taste. Request confirmed administration skills. » They provide ArchLinux 2009.08 in both 32 and 64 bit with their own kernel with grsecurity (2.6.31.5-grs) It runs on dedicated server, I don't know if it's planned to be supported on a virtualized one. -- radio ianux - http://ianux.fr/
Re: [arch-general] Yet another step toward Arch evil plan
On Wed, Jan 13, 2010 at 07:51, ianux ia...@free.fr wrote: They provide ArchLinux 2009.08 in both 32 and 64 bit with their own kernel with grsecurity (2.6.31.5-grs) How well does this integrate? Arch doesn't have any officially-endorsed grsecurity kernel. Does it require userspace modifications? Have they submitted their package to Arch so the devs can look at it and check for flaws?
Re: [arch-general] Yet another step toward Arch evil plan
On Wed, 13 Jan 2010 08:00 -0500, Daenyth Blank daenyth+a...@gmail.com wrote: On Wed, Jan 13, 2010 at 07:51, ianux ia...@free.fr wrote: They provide ArchLinux 2009.08 in both 32 and 64 bit with their own kernel with grsecurity (2.6.31.5-grs) How well does this integrate? Arch doesn't have any officially-endorsed grsecurity kernel. Does it require userspace modifications? Have they submitted their package to Arch so the devs can look at it and check for flaws? In general, kernel's don't need to integrate with anything, and no changes whatsoever should be necessary in userspace. The exception is when the kernel is too old to be compatible with our udev version. I build my own kernels, not via PKGBUILDs/pacman. They work fine and it's tidy too. Kernels keep to their own directories with the kernel itself a single file in /boot and modules in /lib/modules. James
Re: [arch-general] Yet another step toward Arch evil plan
Am 13.01.2010 14:31, schrieb James Rayner: They provide ArchLinux 2009.08 in both 32 and 64 bit with their own kernel with grsecurity (2.6.31.5-grs) How well does this integrate? Arch doesn't have any officially-endorsed grsecurity kernel. Does it require userspace modifications? Have they submitted their package to Arch so the devs can look at it and check for flaws? In general, kernel's don't need to integrate with anything, and no changes whatsoever should be necessary in userspace. The exception is when the kernel is too old to be compatible with our udev version. I build my own kernels, not via PKGBUILDs/pacman. They work fine and it's tidy too. Kernels keep to their own directories with the kernel itself a single file in /boot and modules in /lib/modules. That isn't entirely the point. IIRC SELinux requires lots of support in userspace, this might be the same for grsecurity. I don't know for sure what needs modification though. signature.asc Description: OpenPGP digital signature
Re: [arch-general] Yet another step toward Arch evil plan
On Wed, 13 Jan 2010 14:38:45 +0100 Thomas Bächler tho...@archlinux.org wrote: Am 13.01.2010 14:31, schrieb James Rayner: They provide ArchLinux 2009.08 in both 32 and 64 bit with their own kernel with grsecurity (2.6.31.5-grs) How well does this integrate? Arch doesn't have any officially-endorsed grsecurity kernel. Does it require userspace modifications? Have they submitted their package to Arch so the devs can look at it and check for flaws? In general, kernel's don't need to integrate with anything, and no changes whatsoever should be necessary in userspace. The exception is when the kernel is too old to be compatible with our udev version. [...] That isn't entirely the point. IIRC SELinux requires lots of support in userspace, this might be the same for grsecurity. I don't know for sure what needs modification though. As far as skimming their (rather old) quick install guide can tell me, grsec doesn't do much out of the box. If sysctl is enabled, *all* options have to be enabled manually. In normal unconfigured operation you probably only get some memory address randomization and the same for network ports. Some programs may not work with the memory protections and get killed instantly. the 'chpax' utility (available in aur) can circumvent this. For everything else you need the 'gradm' tool (also available in aur) which manages policies, etc. This seems to be the whole extent of required userspace support. Greetings, jinks --
