| Main Archive Page > Month Archives > gentoo-hardened archives |
Re: [gentoo-hardened] Some advise regarding recompiling an entire hardened systems
From: basile <basile_at_nospam>Date: Mon Apr 20 2009 - 18:04:53 GMT
To: gentoo-hardened@lists.gentoo.org
Thomas Sachau wrote:
> basile schrieb:
>
>> Mansour Moufid wrote:
>>
>>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@gentoo.org> wrote:
>>>
>>>
>>>> basile schrieb:
>>>>
>>>>
>>>>> Hi, a have a couple of question is for Gordon and Nedd regarding
>>>>> rebuilding an entire desktop system with emerge -e world, both amd64
>>>>> and
>>>>> i686. I'm mostly worried about the security implications of the
>>>>> choices I'm making and I'm not 100% sure of my understanding.
>>>>>
>>>>> 1) Regarding choice of compiler. gcc-config -l gives
>>>>>
>>>>> [1] x86_64-pc-linux-gnu-3.4.6
>>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
>>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
>>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
>>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
>>>>> [6] x86_64-pc-linux-gnu-4.1.2
>>>>>
>>>>> My understanding is that [1] is fully hardened and that [2]-[5] are
>>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and
>>>>> fully vanilla. My confusion is about 4.1.2. What hardening is present
>>>>> in it? (Did some hardening which wasn't present in gcc-3 make it to
>>>>> gcc-4 vanilla?) What's the best practice here?
>>>>>
>>>>>
>>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should
>>>> be masked as that version does
>>>> not have any builtin hardened features, so is only a normal,
>>>> none-hardened gcc-4.1.2
>>>>
>>>>
>>> This can happen when using a non-hardened stage3 tarball during the
>>> install, then switching to the hardened profile later.
>>>
>>> I've noticed it's not immediately clear where to get hardened stages
>>> in the documentation. For those wondering, the mirror URL can be found
>>> in the topic on #gentoo-hardened, i.e.:
>>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/
>>>
>>>
>>>
>> I followed a variation of the upgrade process discussed here:
>>
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
>>
>> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1
>>
>> I understand that its a VERY EARLY draft, but it proceeded without any
>> problems on both i686 and amd64. I'm pretty sure I didn't loose PIE,
>> but I'm not so sure about SSP. I'm playing around now with
>> -fstack-protector-all in my CFLAGS.
>>
>>
>>
>>>>> 2) Regarding the choice of profiles on amd64. I have
>>>>>
>>>>> [6] hardened/amd64
>>>>> [7] hardened/amd64/multilib *
>>>>> [10] hardened/linux/amd64
>>>>>
>>>>> I'm using the multilib and I'm wondering what the security implications
>>>>> of this decision. Also, should I be thinking about the newer [10] on
>>>>> amd64? What about the similar choice on i686?
>>>>>
>>>>> Thanks guys.
>>>>>
>>>>>
>>>>>
>>>> What security implications should be there?
>>>> The newer [10] is still experimental and may change without warning.
>>>> Use either [6] or [7] for now.
>>>>
>>>> --
>>>> Thomas Sachau
>>>>
>>>> Gentoo Linux Developer
>>>>
>>>>
>>>>
>> I remember reading about lots of security bugs with emulating
>> libraries. I just googled for it to remind myself. So I'm wondering
>> whether profile 6 is better than 7.
>>
>
> There may be open bugs with those emul-linux-* packages which currently provide some basic 32bit
> libs, but they are not installed by using the profile nor are you forced to use them. If your
> reading was about something different, please specify it.
>
>
>
http://blog.flameeyes.eu/tag/multilib
--
Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA
(716) 829-8197