Re: [gentoo-user] Simplified apache2
Michael Crute wrote: > Hmm... I seem to remember some problem with PHP only compiling if > threads was set to on. Maybe not, will have to test it to see if there > is any good reason that I still have that in my package.use. Thanks > for the tip. > > -Mike > PHP and apache are not the same software. If you have USE="threads" for PHP, then you have to use a threaded MPM for apache (mpm-worker would be the suggested one). If you do not have USE="threads" for PHP then you have to use a non-threaded MPM for apache (mpm-prefork). -- Michael Stewart [EMAIL PROTECTED] Gentoo Developerhttp://dev.gentoo.org/~vericgar GnuPG Key ID 0x08614788 available on http://pgp.mit.edu -- signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Simplified apache2
Good point, I suppose iptables can do pretty much everything tcp_wrappers can do. -- Original message -- From: Ryan Tandy <[EMAIL PROTECTED]> > [EMAIL PROTECTED] wrote: > > > Even this is a bit more bloated than it needs to be. I have never used > > > 'tcpd' > > > > Doesn't tcpd add security, thus suggesting it's use for a more secure > > system? > > > > Thanks, > > Brian > > It can. I haven't yet had a need to implement host-based security, and > if I ever do, I plan to merge it into my existing iptables stuff. > -- > gentoo-user@gentoo.org mailing list >
Re: [gentoo-user] Simplified apache2
[EMAIL PROTECTED] wrote: > Even this is a bit more bloated than it needs to be. I have never used > 'tcpd' Doesn't tcpd add security, thus suggesting it's use for a more secure system? Thanks, Brian It can. I haven't yet had a need to implement host-based security, and if I ever do, I plan to merge it into my existing iptables stuff. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Simplified apache2
> Even this is a bit more bloated than it needs to be. I have never used > 'tcpd' Doesn't tcpd add security, thus suggesting it's use for a more secure system? Thanks, Brian
Re: [gentoo-user] Simplified apache2
Can one covert a non-hardended machine to use the hardended-profile, or do you have to start from scratch? Michael Crute wrote: On 9/12/06, James <[EMAIL PROTECTED]> wrote: I used 2006.1 livecd to install a pII machine. It's going to become a (minimalistic) apache2 server. I just let the installation set the flags for the install so I have these flags currently: Those look a bit excessive for a "minimalist" machine. I would start over ;-) Some of these flag look questionable, such as the one with underscores (kernel_linux userland_GNU) as I only found information on them, where they are describe as 'undocumented use flags'. What's up with these flags? My understanding is that these are set in the profile and simply tell portage that you are using Linux. I don't think there is any way (short of profile hacking) to change them. So don't worry about it. Where do I look to discern the minimal list of (necessary) system flags that must be kept? (I want to avoid negating any flags that are critical). These are my proposed list of flags: Still a little excessive in my opinion. The approach that I would (do) take is to put only the bare minimum use flags in make.conf and override the rest on a per-package level in /etc/portage/package.use. So can I just use this list, or do I have to include a -{flag} for each one? IS there simpler syntax to globally remove unwanted flags [-*], but, not any critical system flags? (Is this the same as just leaving the flag out of the USE param. setting in make.conf? -* will work but be careful it can break things if you don't know what your doing. Are there default system flag settings that I can safely remove? Where is the list and how do I know which ones can be removed or negated? My (limited) understanding of flags are that the highest priority are those set in /etc/portage/package.use, then /etc/make.conf then the system default flags which may be located in several locations. Is there any docs or listing of all of these location and details on precedence? http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=2 OK, my advice to you would be to start over with a hardened profile. While hardened is not specifically required I highly recommend it if this is just going to be a headless server machine. You probably want to set your machine up with a similar USE= string in make.conf USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python readline" I believe that is the bare minimum if you use -*. Now you can compile your system and you have a blank slate to start working with. As you start emerging packages just make sure you use the -pv flags for emerge and check out the available use flags and add the ones you want to /etc/portage/package.use. Here is an example of my package.use line for apache2 net-www/apache mpm-prefork threads This setup works smashingly for me on my production servers by YMMV. Best of luck. -Mike -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Simplified apache2
On 9/13/06, Michael Stewart (vericgar) <[EMAIL PROTECTED]> wrote: Michael Crute wrote: > net-www/apache mpm-prefork threads As a side note from the Apache maintainer: This USE-flag combination is pointless. The threads USE-flag is only used if you don't specify a MPM USE-flag, and caused the mpm to be mpm-worker. (If threads is not set, the MPM defaults to mpm-prefork) Hmm... I seem to remember some problem with PHP only compiling if threads was set to on. Maybe not, will have to test it to see if there is any good reason that I still have that in my package.use. Thanks for the tip. -Mike -- Michael E. Crute http://mike.crute.org I may not have gone where I intended to go, but I think I have ended up where I intended to be. --Douglas Adams -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Simplified apache2
Michael Crute wrote: > net-www/apache mpm-prefork threads As a side note from the Apache maintainer: This USE-flag combination is pointless. The threads USE-flag is only used if you don't specify a MPM USE-flag, and caused the mpm to be mpm-worker. (If threads is not set, the MPM defaults to mpm-prefork) -- Michael Stewart [EMAIL PROTECTED] Gentoo Developerhttp://dev.gentoo.org/~vericgar GnuPG Key ID 0x08614788 available on http://pgp.mit.edu -- signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Simplified apache2
Michael Crute wrote: USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python readline" Even this is a bit more bloated than it needs to be. I have never used 'tcpd' or 'berkdb' on any system I run, and 'perl' and 'python' are *much* more useful (IMO) as local flags (in package.use) than as global ones. Even 'ssl' doesn't *have* to be there, especially in the global scope - 'www-client/links ssl' in package.use should be more than sufficient. One flag missing from that line that I like to have is 'bzip2' - tar just isn't quite the same without bz2 support. ;) Also, be careful using the hardened flag without running the hardened profile. The hardened profile masks out a couple of packages and flags that don't work so well on a hardened system. BTW, the flags with underscores in them (kernel_linux, userland_GNU, elibc_glibc, video_cards_radeon and such) are known as USE_EXPAND or expanded USE flags. VIDEO_CARDS and ALSA_CARDS are a couple you may be familiar with - when they're set in make.conf, emerge expands them automatically, so e.g. VIDEO_CARDS="radeon" gets expanded to USE="video_cards_radeon". KERNEL, USERLAND, and ELIBC are there for the use of packages that work differently on different systems - Gentoo/FreeBSD, Gentoo/OSX, and such - and should *only* be set by your profile. Hope I've helped. :) Ryan -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Simplified apache2
On 9/12/06, James <[EMAIL PROTECTED]> wrote: I used 2006.1 livecd to install a pII machine. It's going to become a (minimalistic) apache2 server. I just let the installation set the flags for the install so I have these flags currently: Those look a bit excessive for a "minimalist" machine. I would start over ;-) Some of these flag look questionable, such as the one with underscores (kernel_linux userland_GNU) as I only found information on them, where they are describe as 'undocumented use flags'. What's up with these flags? My understanding is that these are set in the profile and simply tell portage that you are using Linux. I don't think there is any way (short of profile hacking) to change them. So don't worry about it. Where do I look to discern the minimal list of (necessary) system flags that must be kept? (I want to avoid negating any flags that are critical). These are my proposed list of flags: Still a little excessive in my opinion. The approach that I would (do) take is to put only the bare minimum use flags in make.conf and override the rest on a per-package level in /etc/portage/package.use. So can I just use this list, or do I have to include a -{flag} for each one? IS there simpler syntax to globally remove unwanted flags [-*], but, not any critical system flags? (Is this the same as just leaving the flag out of the USE param. setting in make.conf? -* will work but be careful it can break things if you don't know what your doing. Are there default system flag settings that I can safely remove? Where is the list and how do I know which ones can be removed or negated? My (limited) understanding of flags are that the highest priority are those set in /etc/portage/package.use, then /etc/make.conf then the system default flags which may be located in several locations. Is there any docs or listing of all of these location and details on precedence? http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=2 OK, my advice to you would be to start over with a hardened profile. While hardened is not specifically required I highly recommend it if this is just going to be a headless server machine. You probably want to set your machine up with a similar USE= string in make.conf USE="-* hardened pic ncurses ssl crypt berkdb tcpd pam perl python readline" I believe that is the bare minimum if you use -*. Now you can compile your system and you have a blank slate to start working with. As you start emerging packages just make sure you use the -pv flags for emerge and check out the available use flags and add the ones you want to /etc/portage/package.use. Here is an example of my package.use line for apache2 net-www/apache mpm-prefork threads This setup works smashingly for me on my production servers by YMMV. Best of luck. -Mike -- Michael E. Crute http://mike.crute.org I may not have gone where I intended to go, but I think I have ended up where I intended to be. --Douglas Adams -- gentoo-user@gentoo.org mailing list