| 1 |
Thomas Sachau wrote: |
| 2 |
> basile schrieb: |
| 3 |
> |
| 4 |
>> Mansour Moufid wrote: |
| 5 |
>> |
| 6 |
>>> On Sun, Apr 19, 2009 at 9:44 AM, Thomas Sachau <tommy@g.o> wrote: |
| 7 |
>>> |
| 8 |
>>> |
| 9 |
>>>> basile schrieb: |
| 10 |
>>>> |
| 11 |
>>>> |
| 12 |
>>>>> Hi, a have a couple of question is for Gordon and Nedd regarding |
| 13 |
>>>>> rebuilding an entire desktop system with emerge -e world, both amd64 |
| 14 |
>>>>> and |
| 15 |
>>>>> i686. I'm mostly worried about the security implications of the |
| 16 |
>>>>> choices I'm making and I'm not 100% sure of my understanding. |
| 17 |
>>>>> |
| 18 |
>>>>> 1) Regarding choice of compiler. gcc-config -l gives |
| 19 |
>>>>> |
| 20 |
>>>>> [1] x86_64-pc-linux-gnu-3.4.6 |
| 21 |
>>>>> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
| 22 |
>>>>> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
| 23 |
>>>>> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
| 24 |
>>>>> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
| 25 |
>>>>> [6] x86_64-pc-linux-gnu-4.1.2 |
| 26 |
>>>>> |
| 27 |
>>>>> My understanding is that [1] is fully hardened and that [2]-[5] are |
| 28 |
>>>>> exactly what they say, respectively no pie, no pie nor ssp, no ssp and |
| 29 |
>>>>> fully vanilla. My confusion is about 4.1.2. What hardening is present |
| 30 |
>>>>> in it? (Did some hardening which wasn't present in gcc-3 make it to |
| 31 |
>>>>> gcc-4 vanilla?) What's the best practice here? |
| 32 |
>>>>> |
| 33 |
>>>>> |
| 34 |
>>>> You are right with gcc-3.4.6-r2. How did you install gcc-4? It should |
| 35 |
>>>> be masked as that version does |
| 36 |
>>>> not have any builtin hardened features, so is only a normal, |
| 37 |
>>>> none-hardened gcc-4.1.2 |
| 38 |
>>>> |
| 39 |
>>>> |
| 40 |
>>> This can happen when using a non-hardened stage3 tarball during the |
| 41 |
>>> install, then switching to the hardened profile later. |
| 42 |
>>> |
| 43 |
>>> I've noticed it's not immediately clear where to get hardened stages |
| 44 |
>>> in the documentation. For those wondering, the mirror URL can be found |
| 45 |
>>> in the topic on #gentoo-hardened, i.e.: |
| 46 |
>>> http://gentoo.osuosl.org/releases/${ARCH}/2008.0/stages/hardened/ |
| 47 |
>>> |
| 48 |
>>> |
| 49 |
>>> |
| 50 |
>> I followed a variation of the upgrade process discussed here: |
| 51 |
>> |
| 52 |
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
| 53 |
>> |
| 54 |
>> The differences are I used binutils-2.18 and glibc-2.8_p20080602-r1 |
| 55 |
>> |
| 56 |
>> I understand that its a VERY EARLY draft, but it proceeded without any |
| 57 |
>> problems on both i686 and amd64. I'm pretty sure I didn't loose PIE, |
| 58 |
>> but I'm not so sure about SSP. I'm playing around now with |
| 59 |
>> -fstack-protector-all in my CFLAGS. |
| 60 |
>> |
| 61 |
>> |
| 62 |
>> |
| 63 |
>>>>> 2) Regarding the choice of profiles on amd64. I have |
| 64 |
>>>>> |
| 65 |
>>>>> [6] hardened/amd64 |
| 66 |
>>>>> [7] hardened/amd64/multilib * |
| 67 |
>>>>> [10] hardened/linux/amd64 |
| 68 |
>>>>> |
| 69 |
>>>>> I'm using the multilib and I'm wondering what the security implications |
| 70 |
>>>>> of this decision. Also, should I be thinking about the newer [10] on |
| 71 |
>>>>> amd64? What about the similar choice on i686? |
| 72 |
>>>>> |
| 73 |
>>>>> Thanks guys. |
| 74 |
>>>>> |
| 75 |
>>>>> |
| 76 |
>>>>> |
| 77 |
>>>> What security implications should be there? |
| 78 |
>>>> The newer [10] is still experimental and may change without warning. |
| 79 |
>>>> Use either [6] or [7] for now. |
| 80 |
>>>> |
| 81 |
>>>> -- |
| 82 |
>>>> Thomas Sachau |
| 83 |
>>>> |
| 84 |
>>>> Gentoo Linux Developer |
| 85 |
>>>> |
| 86 |
>>>> |
| 87 |
>>>> |
| 88 |
>> I remember reading about lots of security bugs with emulating |
| 89 |
>> libraries. I just googled for it to remind myself. So I'm wondering |
| 90 |
>> whether profile 6 is better than 7. |
| 91 |
>> |
| 92 |
> |
| 93 |
> There may be open bugs with those emul-linux-* packages which currently provide some basic 32bit |
| 94 |
> libs, but they are not installed by using the profile nor are you forced to use them. If your |
| 95 |
> reading was about something different, please specify it. |
| 96 |
> |
| 97 |
> |
| 98 |
> |
| 99 |
http://blog.flameeyes.eu/tag/multilib |
| 100 |
|
| 101 |
|
| 102 |
-- |
| 103 |
|
| 104 |
Anthony G. Basile, Ph.D. |
| 105 |
Chair of Information Technology |
| 106 |
D'Youville College |
| 107 |
Buffalo, NY 14201 |
| 108 |
USA |
| 109 |
|
| 110 |
(716) 829-8197 |
Archives