Re: [gentoo-hardened] stage3's openssl has TEXTREL - gentoo-hardened

From:	Ned Ludd <solar@g.o>
To:	davisjp@×××.edu
Cc:	"Peter S. Mazinger" <ps.m@×××.net>, gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] stage3's openssl has TEXTREL
Date:	Sat, 10 Jan 2004 19:04:43
Message-Id:	`1073760993.20036.4347.camel@simple`
In Reply to:	Re: [gentoo-hardened] stage3's openssl has TEXTREL by John Davis

1

zhen,

2

Peter is right openssl in the stage3 does contain TEXTREL.

3

This needs to be fixed for the final grp stages are released.  For all

4

arches that GRP is going to handle (not just hardened).

5

6

I've also noticed that our desired FEATURES don't seem to be kicking in

7

until after a the user has rsyncd. 

8

9

Lets take a look at basic file permissions.

10

# 04000.

11

12

1825457   28 -rwsr-xr-x   1 root     root        26732 Jan  6 12:17

13

/bin/su

14

1825515   40 -rwsr-xr-x   1 root     root        37072 Jan  6 12:07 /bin/ping

15

1825449   96 -rws--x--x   1 root     root        90808 Jan  6 12:22 /bin/mount

16

1825451   32 -rwsr-xr-x   1 root     root        32304 Jan  6 12:07 /bin/ping6

17

1825429   56 -rws--x--x   1 root     root        50572 Jan  6 12:22 /bin/umount

18

408439   36 -rwsr-xr-x   1 root     root        33484 Jan  6 12:17 /usr/bin/chfn

19

408378   36 -rwsr-xr-x   1 root     root        33548 Jan  6 12:17 /usr/bin/chsh

20

408312   44 -rwsr-xr-x   1 root     root        43880 Jan  6 12:17 /usr/bin/chage

21

408543   16 -rwsr-xr-x   1 root     root        14612 Jan  6 12:07 /usr/bin/traceroute6

22

408733   12 -rwsr-xr-x   1 root     root        10332 Jan  6 12:07 /usr/bin/tracepath6

23

408346   24 -rwsr-xr-x   1 root     root        20552 Jan  6 12:17 /usr/bin/expiry

24

408730 1072 -rws--x--x   2 root     root      1091093 Jan  6 11:59 /usr/bin/sperl5.8.0

25

408476   28 -rwsr-xr-x   1 root     root        25000 Jan  6 12:17 /usr/bin/newgrp

26

408656   32 -rwsr-xr-x   1 root     root        31208 Jan  6 12:17 /usr/bin/passwd

27

408614   44 -rwsr-xr-x   1 root     root        41460 Jan  6 12:17 /usr/bin/gpasswd

28

408426   12 -rwsr-xr-x   1 root     root        10260 Jan  6 12:07 /usr/bin/tracepath

29

408730 1072 -rws--x--x   2 root     root      1091093 Jan  6 11:59 /usr/bin/suidperl

30

603864  180 -rws--x--x   1 root     root       179236 Jan  6 12:24 /usr/lib/misc/ssh-keysign

31

603865    8 -rws--x--x   1 root     root         6104 Jan  6 10:08 /usr/lib/misc/pt_chown

32

1564576   24 -r-sr-xr-x   1 root     root        22495 Jan  6 12:16 /usr/sbin/unix_chkpwd

33

1564569   20 -r-sr-xr-x   1 root     root        19652 Jan  6 12:16 /usr/sbin/pwdb_chkpwd

34

1564531   12 -r-s--x--x   1 root     root        11411 Jan  6 12:16 /usr/sbin/pam_timestamp_check

35

36

# 02000

37

408563   48 -r-xr-sr-x   1 root     man         48840 Jan  6 11:45 /usr/bin/man

38

408507   12 -rwxr-sr-x   1 root     tty          9200 Jan  6 12:22 /usr/bin/write

39

408540   36 -rwx--s--x   1 root     2601        36561 Jan  6 12:17 /usr/bin/slocate

40

41

# all these setuid files should be go-rw and setgid files should be o-rw

42

out of the box.

43

44

# We dont have ipv6 enabled in our USE flags so I don't see why we

45

should be getting tracepath6, traceroute6 in the first place (odd eh?).

46

47

# It also appears ccache is getting enabled. I'm not sure if we want

48

this or not. I would assume NO as it's been known to cause problems with

49

old __guard symbols laying around. But it might not be a problem as long

50

as the __guard symbol is found at glibc vs libgcc. Perhaps pappy can

51

comment on if he thinks this feature should be disabled in our profile.

52

53

# stripping. I've still got one small addition to go into portage itself

54

to handle sripping better of shared objects. Don't let it hold you up as

55

it only shaved off 2 megs off of /{,usr/}{s,}bin/

56

57

On Thu, 2004-01-08 at 16:10, John Davis wrote:

58

> -----BEGIN PGP SIGNED MESSAGE-----

59

> Hash: SHA1

60

>

61

> Peter S. Mazinger wrote:

62

> | Hello!

63

> |

64

> | On my first attempt with gentoo starting from stage3 (oregonstate

65

> | december) tarball, chroot, and running emerge --help shows libcrypto

66

> | (0.9.6) having TEXTREL (I have checked all other libs in /lib, /usr/lib,

67

> | they are clean). Could this also be the case for the mainstream openssl?

68

> |

69

> | Peter

70

> |

71

> Are you using hardened stages - if so, use the ones from the

72

> experimental directory that are datestamped 20040105. I do not know if

73

> they have TEXTREL removed, but if hgcc 2.4.5 supports that, then yes.

74

>

75

> Cheers,

76

> //zhen

77

> - --

78

> John Davis

79

> Gentoo Linux Developer

80

> <http://dev.gentoo.org/~zhen>

81

>

82

> - ----

83

> Knowledge can be more terrible than ignorance if you're powerless to

84

> change your world.

85

> -----BEGIN PGP SIGNATURE-----

86

> Version: GnuPG v1.2.3 (GNU/Linux)

87

> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

88

>

89

> iD8DBQE//cc+ZlASNRlGLUcRArHoAJ9gR+l2tEGjP8QbDCv51YZYOYSyEgCgtddi

90

> jxx89FMJSWzKCRXV0lPQi7c=

91

> =t0Wl

92

> -----END PGP SIGNATURE-----

93

>

94

>

95

> --

96

> gentoo-hardened@g.o mailing list

97

--

98

Ned Ludd <solar@g.o>

99

Gentoo Linux Developer

Gentoo Archives: gentoo-hardened

Attachments

1	zhen,
2	Peter is right openssl in the stage3 does contain TEXTREL.
3	This needs to be fixed for the final grp stages are released. For all
4	arches that GRP is going to handle (not just hardened).
5
6	I've also noticed that our desired FEATURES don't seem to be kicking in
7	until after a the user has rsyncd.
8
9	Lets take a look at basic file permissions.
10	# 04000.
11
12	1825457 28 -rwsr-xr-x 1 root root 26732 Jan 6 12:17
13	/bin/su
14	1825515 40 -rwsr-xr-x 1 root root 37072 Jan 6 12:07 /bin/ping
15	1825449 96 -rws--x--x 1 root root 90808 Jan 6 12:22 /bin/mount
16	1825451 32 -rwsr-xr-x 1 root root 32304 Jan 6 12:07 /bin/ping6
17	1825429 56 -rws--x--x 1 root root 50572 Jan 6 12:22 /bin/umount
18	408439 36 -rwsr-xr-x 1 root root 33484 Jan 6 12:17 /usr/bin/chfn
19	408378 36 -rwsr-xr-x 1 root root 33548 Jan 6 12:17 /usr/bin/chsh
20	408312 44 -rwsr-xr-x 1 root root 43880 Jan 6 12:17 /usr/bin/chage
21	408543 16 -rwsr-xr-x 1 root root 14612 Jan 6 12:07 /usr/bin/traceroute6
22	408733 12 -rwsr-xr-x 1 root root 10332 Jan 6 12:07 /usr/bin/tracepath6
23	408346 24 -rwsr-xr-x 1 root root 20552 Jan 6 12:17 /usr/bin/expiry
24	408730 1072 -rws--x--x 2 root root 1091093 Jan 6 11:59 /usr/bin/sperl5.8.0
25	408476 28 -rwsr-xr-x 1 root root 25000 Jan 6 12:17 /usr/bin/newgrp
26	408656 32 -rwsr-xr-x 1 root root 31208 Jan 6 12:17 /usr/bin/passwd
27	408614 44 -rwsr-xr-x 1 root root 41460 Jan 6 12:17 /usr/bin/gpasswd
28	408426 12 -rwsr-xr-x 1 root root 10260 Jan 6 12:07 /usr/bin/tracepath
29	408730 1072 -rws--x--x 2 root root 1091093 Jan 6 11:59 /usr/bin/suidperl
30	603864 180 -rws--x--x 1 root root 179236 Jan 6 12:24 /usr/lib/misc/ssh-keysign
31	603865 8 -rws--x--x 1 root root 6104 Jan 6 10:08 /usr/lib/misc/pt_chown
32	1564576 24 -r-sr-xr-x 1 root root 22495 Jan 6 12:16 /usr/sbin/unix_chkpwd
33	1564569 20 -r-sr-xr-x 1 root root 19652 Jan 6 12:16 /usr/sbin/pwdb_chkpwd
34	1564531 12 -r-s--x--x 1 root root 11411 Jan 6 12:16 /usr/sbin/pam_timestamp_check
35
36	# 02000
37	408563 48 -r-xr-sr-x 1 root man 48840 Jan 6 11:45 /usr/bin/man
38	408507 12 -rwxr-sr-x 1 root tty 9200 Jan 6 12:22 /usr/bin/write
39	408540 36 -rwx--s--x 1 root 2601 36561 Jan 6 12:17 /usr/bin/slocate
40
41	# all these setuid files should be go-rw and setgid files should be o-rw
42	out of the box.
43
44	# We dont have ipv6 enabled in our USE flags so I don't see why we
45	should be getting tracepath6, traceroute6 in the first place (odd eh?).
46
47	# It also appears ccache is getting enabled. I'm not sure if we want
48	this or not. I would assume NO as it's been known to cause problems with
49	old __guard symbols laying around. But it might not be a problem as long
50	as the __guard symbol is found at glibc vs libgcc. Perhaps pappy can
51	comment on if he thinks this feature should be disabled in our profile.
52
53	# stripping. I've still got one small addition to go into portage itself
54	to handle sripping better of shared objects. Don't let it hold you up as
55	it only shaved off 2 megs off of /{,usr/}{s,}bin/
56
57	On Thu, 2004-01-08 at 16:10, John Davis wrote:
58	> -----BEGIN PGP SIGNED MESSAGE-----
59	> Hash: SHA1
60	>
61	> Peter S. Mazinger wrote:
62	> \| Hello!
63	> \|
64	> \| On my first attempt with gentoo starting from stage3 (oregonstate
65	> \| december) tarball, chroot, and running emerge --help shows libcrypto
66	> \| (0.9.6) having TEXTREL (I have checked all other libs in /lib, /usr/lib,
67	> \| they are clean). Could this also be the case for the mainstream openssl?
68	> \|
69	> \| Peter
70	> \|
71	> Are you using hardened stages - if so, use the ones from the
72	> experimental directory that are datestamped 20040105. I do not know if
73	> they have TEXTREL removed, but if hgcc 2.4.5 supports that, then yes.
74	>
75	> Cheers,
76	> //zhen
77	> - --
78	> John Davis
79	> Gentoo Linux Developer
80	> <http://dev.gentoo.org/~zhen>
81	>
82	> - ----
83	> Knowledge can be more terrible than ignorance if you're powerless to
84	> change your world.
85	> -----BEGIN PGP SIGNATURE-----
86	> Version: GnuPG v1.2.3 (GNU/Linux)
87	> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
88	>
89	> iD8DBQE//cc+ZlASNRlGLUcRArHoAJ9gR+l2tEGjP8QbDCv51YZYOYSyEgCgtddi
90	> jxx89FMJSWzKCRXV0lPQi7c=
91	> =t0Wl
92	> -----END PGP SIGNATURE-----
93	>
94	>
95	> --
96	> gentoo-hardened@g.o mailing list
97	--
98	Ned Ludd <solar@g.o>
99	Gentoo Linux Developer