> > And how about PaX? Is it really so unlikely to be necessary on PC or
> > laptop for personal use?
>
> Not unlikely, but it presumes a compromised local account
actually it assumes the exact opposite as it's a protection mechanism
against remote attacks, not local ones. in fact, there's no protection
on the planet that will prevent an untrusted local user from elevating
privileges (because there's no generic solution against real life bugs
in the TCB itself).
as for why you want PaX on a desktop: not only because since day one
that was my primary use case (not servers, believe it or not), but
because client side attacks against browsers, mail/VOIP/IM/etc clients
are very real in today's internet.
> but some of it's controls may interfere with the operation of virtual
> machines.
only KERNEXEC should (and even that is fixable if someone's so inclined).
Hardened gentoo and hibernation
