1 |
basile schrieb: |
2 |
> Thomas Sachau wrote: |
3 |
>> basile schrieb: |
4 |
>> |
5 |
>>> Mansour Moufid wrote: |
6 |
>>> |
7 |
>>>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@g.o> |
8 |
>>>> wrote: |
9 |
>>>> |
10 |
>>>> |
11 |
>>>>> basile schrieb: |
12 |
>>>>> |
13 |
>>>>>> Hi, a have a couple of question is for Gordon and Nedd regarding |
14 |
>>>>>> rebuilding an entire desktop system with emerge -e world, both amd64 |
15 |
>>>>>> and |
16 |
>>>>>> i686. I'm mostly worried about the security implications of the |
17 |
>>>>>> choices I'm making and I'm not 100% sure of my understanding. |
18 |
>>>>>> |
19 |
>>>>>> 1) Regarding choice of compiler. gcc-config -l gives |
20 |
>>>>>> |
21 |
>>>>>> [1] x86_64-pc-linux-gnu-3.4.6 |
22 |
>>>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
23 |
>>>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
24 |
>>>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
25 |
>>>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
26 |
>>>>>> [6] x86_64-pc-linux-gnu-4.1.2 |
27 |
>>>>>> |
28 |
>>>>>> My understanding is that [1] is fully hardened and that [2]-[5] are |
29 |
>>>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp |
30 |
>>>>>> and |
31 |
>>>>>> fully vanilla. My confusion is about 4.1.2. What hardening is |
32 |
>>>>>> present |
33 |
>>>>>> in it? (Did some hardening which wasn't present in gcc-3 make it to |
34 |
>>>>>> gcc-4 vanilla?) What's the best practice here? |
35 |
>>>>>> |
36 |
>>>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should |
37 |
>>>>> be masked as that version does |
38 |
>>>>> not have any builtin hardened features, so is only a normal, |
39 |
>>>>> none-hardened gcc-4.1.2 |
40 |
>>>>> |
41 |
>>>> This can happen when using a non-hardened stage3 tarball during the |
42 |
>>>> install, then switching to the hardened profile later. |
43 |
>>>> |
44 |
>>>> I've noticed it's not immediately clear where to get hardened stages |
45 |
>>>> in the documentation. For those wondering, the mirror URL can be found |
46 |
>>>> in the topic on #gentoo-hardened, i.e.: |
47 |
>>>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/ |
48 |
>>>> |
49 |
>>>> |
50 |
>>> I followed a variation of the upgrade process discussed here: |
51 |
>>> |
52 |
>>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
53 |
>>> |
54 |
>>> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1 |
55 |
>>> |
56 |
>>> I understand that its a VERY EARLY draft, but it proceeded without any |
57 |
>>> problems on both i686 and amd64. I'm pretty sure I didn't loose PIE, |
58 |
>>> but I'm not so sure about SSP. I'm playing around now with |
59 |
>>> -fstack-protector-all in my CFLAGS. |
60 |
>>> |
61 |
>>> |
62 |
>>> |
63 |
>>>>>> 2) Regarding the choice of profiles on amd64. I have |
64 |
>>>>>> |
65 |
>>>>>> [6] hardened/amd64 |
66 |
>>>>>> [7] hardened/amd64/multilib * |
67 |
>>>>>> [10] hardened/linux/amd64 |
68 |
>>>>>> |
69 |
>>>>>> I'm using the multilib and I'm wondering what the security |
70 |
>>>>>> implications |
71 |
>>>>>> of this decision. Also, should I be thinking about the newer [10] on |
72 |
>>>>>> amd64? What about the similar choice on i686? |
73 |
>>>>>> |
74 |
>>>>>> Thanks guys. |
75 |
>>>>>> |
76 |
>>>>>> |
77 |
>>>>> What security implications should be there? |
78 |
>>>>> The newer [10] is still experimental and may change without warning. |
79 |
>>>>> Use either [6] or [7] for now. |
80 |
>>>>> |
81 |
>>>>> -- |
82 |
>>>>> Thomas Sachau |
83 |
>>>>> |
84 |
>>>>> Gentoo Linux Developer |
85 |
>>>>> |
86 |
>>>>> |
87 |
>>> I remember reading about lots of security bugs with emulating |
88 |
>>> libraries. I just googled for it to remind myself. So I'm wondering |
89 |
>>> whether profile 6 is better than 7. |
90 |
>>> |
91 |
>> |
92 |
>> There may be open bugs with those emul-linux-* packages which |
93 |
>> currently provide some basic 32bit |
94 |
>> libs, but they are not installed by using the profile nor are you |
95 |
>> forced to use them. If your |
96 |
>> reading was about something different, please specify it. |
97 |
>> |
98 |
>> |
99 |
>> |
100 |
> http://blog.flameeyes.eu/tag/multilib |
101 |
> |
102 |
> |
103 |
|
104 |
As i said: Only the library packages are the problem, not the profile itself. |
105 |
|
106 |
-- |
107 |
Thomas Sachau |
108 |
|
109 |
Gentoo Linux Developer |