# Hardened sources - does it make sense without PaX

## Uzytkownik

I tried to run hardened Gentoo but I discovered that PaX is breaking too much. Are there any benefits to hardened sources w/out PaX?

----------

## eccerr0r

Security is always a tradeoff for convenience.

If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...

To quantify the security loss, it all depends on the person hacking your machine...

----------

## Uzytkownik

 *eccerr0r wrote:*   

> Security is always a tradeoff for convenience.
> 
> If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...
> 
> To quantify the security loss, it all depends on the person hacking your machine...

 

Yeah sure. My question was rather if hardened sources - Pax == vanilla sources or there is some hardening even without PaX/Grsecurity enabled.

----------

## eccerr0r

A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...

I view it as all or nothing.

Most of my machines I just run nothing and depend on correctness by design...  Yeah...right...  Convenience ended up winning out.

----------

## Uzytkownik

 *eccerr0r wrote:*   

> A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...
> 
> I view it as all or nothing.

 

I think there are at least some shadows of grey between running military grade SELinux installation and ignoring error about self-signed certificate when you enter bank website... Security is obviously not all-or-nothing but need to be balanced against usability.

 *eccerr0r wrote:*   

> Most of my machines I just run nothing and depend on correctness by design...  Yeah...right...  Convenience ended up winning out.

 

I think you are answering not the question I am asking I am afraid. In my threat model I deem hardening as nice to have but not strictly necessary. I would like to just know if hardened sources contain any improvement other then PaX itself.

----------

## Hu

That depends on exactly what you disable at build time and/or runtime, but generally, yes, grsecurity includes a large number of security-related changes, not all of which require PaX enabled in order for them to function.  Your other option is to describe some of the breaks that PaX is causing.  Despite not being part of the upstream kernel, PaX is fairly widely used, so it is likely that other users have encountered any problems it causes and may be able to help you.

----------

