Lunar Linux Hardened
(→The Patches) |
(→glibc 2.5) |
||
Line 175: | Line 175: | ||
=== glibc 2.5 === | === glibc 2.5 === | ||
− | + | Status: 1 | |
− | + | Configure: Added --with-selinux as a query option, added the following things statically: --with-tls --enable-bind-now --enable-stackguard-randomization | |
<table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;"> | <table cellspacing="0" cellpadding="0" border="0" style="border: 1px solid #000000; text-align: center; margin: 0 auto; width: 100%;"> |
Revision as of 16:43, 10 March 2007
Contents |
Hardened Lunar Linux
The maingoal of this project might be to have a Lunar Linux with security enhancements. The most modules will be patched with patches we've written or others written. Others could be Linux-from-Scratch users or other Distributions. As long as we keep credits - This should be okay.
Language
The mainproblem is my language - so if you read things you don't understand please ask me - My english isn't as good as yours so probably i would be happy for corrections ;-)
Warning
This project is in an experimental state - So use it only if you want to play with it or if you want help developing it. It's not for production use right now. I'm working at the moment only at i386. So no x86_64 or sparc support is there.
HowTo get this Thingy running
Good question, i waited that u ask me. First, you'll download the hd-modules.tar.bz2 (I will add the url here soon). Extract it to /var/lib/lunar/moonbase/zlocal/ (Be careful if you stored own modules there. We don't want to overwrite something). Then you have to re-lin stuff:
Stage One
Preinstallation of needed modules
- lin -cr binutils # This will install binutils 2.17 with our hardened patches and configure options
- lin -cr gcc # This will install gcc 4.1.2 with our hardened patches and configure options
- lin -cr kernel-headers-2.6 # This will install the Kernel Headers we need for glibc
- lin -cr glibc # This will install glibc 2.5 with our hardened patches and configure options
- lin -cr linux-2.6 # Now reinstall the linux kernel.
Stage Two
Now reinstallation of the previosly installed modules, so that they're compiled using the preinstalled modules
- lin -cr binutils
- lin -cr gcc
- lin -cr db (if u have it installed (lvu installed db) but i bet you have)
- lin -cr coreutils
- lin -cr kernel-headers-2.6
- lin -cr glibc
- lin -cr linux-2.6
Stage Three
Now we relin some other useful modules:
- lin -cr bison
- lin -cr procps
- lin -cr libtool
- lin -cr perl
- lin -cr readline
- lin -cr zlib
- lin -cr autoconf
- lin -cr automake
Now your filesystem tools:
- lin -cr e2fsprogs (for ext2 and ext3fs)
- lin -cr xfsprogs (for xfs only if u use it)
- lin -cr jfsutils (for jfs only if u use it)
- lin -cr reiserfsprogs (for reiserfs only if u use it)
- ... ;-)
Now some other modules
- lin -cr file
- lin -cr flex
- lin -cr groff
- lin -cr less
- lin -cr man
- lin -cr mktemp
- lin -cr module-init-tools
- lin -cr psmisc
- lin -cr shadow
- lin -cr sysvinit
- lin -cr udev (or whatever u use, for example devfs)
- lin -cr ncurses (if u have it installed (lvu installed ncurses))
- lin -cr bash
- lin -cr bzip2
- lin -cr coreutils
- lin -cr diffutils
- lin -cr findutils
- lin -cr gawk
- lin -cr gettext
- lin -cr grep
- lin -cr gzip
- lin -cr m4
- lin -cr make
- lin -cr patch
- lin -cr perl
- lin -cr sed
- lin -cr tar
- lin -cr texinfo (if u have it installed (lvu installed texinfo))
- lin -cr util-linux
- lin -cr vim
The Patches (info)
You will see "Status:" in the following sections. Status 1 means i tested is it compiling and does it seem working, on my local system (Athlon XP 2600+, 512 MB Ram, Vanilla 2.6.20 Kernel). Status 2 means i tested it a bit more and recompiled it several times AND with optimizations. Status 3 means other people have tested it, too but it wasn't working sometimes. Status 4 means other people have tested it, too and it was working everywhere.
So:
- Status 0 is untested.
- Status 1 is really really alpha. (tested without optimizations)
- Status 2, too. (tested with optimizations: CPU: athlon-xp; FPU: both; MMX SSE SSE2, -O2)
- Status 3 is beta.
- Status 4 is ready to go ;-)
ToDo
- Do we need to port this patch http://www.linuxfromscratch.org/patches/downloads/db/db-4.4.20-trap-2.patch if we use 4.5.20?
- On some sites exists a branch_update-2.patch for binutils-2.17, i tried it and it was not working cause of another patch. http://www.ip-minds.de/patches/binutils-2.17-branch_update-2.patch (will be later available there)
- We have to look for other useful security related patches.
The Patches (The Modules + Patches + Configure Changes)
gcc 4.1.2
Status: 2
posix-1.patch | - | Makes GCC Posix Compliant |
binutils 2.17
Status: 2
branch_update-1.patch | - | This is the binutils-2_17-branch (bug fix branch) update, compared from binutils-2.17-release and binutils-2_17-branch with all the fluff removed (CVS entries, maintainer files, etc). This patch should be updated periodically. |
hardened_tmp-3.patch | - | This patch uses mkstemp(3) and mkdtemp(3) for temporary file creation, if they are available, rather than the default mktemp(3). This is safer and removes some compiler warnings. |
lazy-1.patch | - | This adds -z lazy option, inverse of -z now. |
pt_pax-1.patch | - | This adds PT_PAX_FLAGS to Binutils. See: http://pax.grsecurity.net/ |
posix-1.patch | - | Makes binutils Posix Compliant |
coreutils 6.7
Status: 2
i18n-1.patch | - | This patch fixes various problems with multibyte character support. |
uname-1.patch | - | Fix the output of uname once and for all. |
glibc 2.5
Status: 1
Configure: Added --with-selinux as a query option, added the following things statically: --with-tls --enable-bind-now --enable-stackguard-randomization
blowfish.patch | - | This patch adds blowfish crypto to libcrypt. |
branch_update-2.patch | - | This is a branch update for Glibc-2.5, and should be rechecked periodically. See the "Changelog" and "localedata/ChangeLog" files for specific details. |
dl_execstack_PaX-1.patch | - | This is needed for Pax. http://pax.grsecurity.net/ |
hardened_tmp-1.patch | - | This patch instructs mktemp(1) to use temporary file directory from the '-t' option. It also makes sure temporary files get removed after exiting the scripts. |
iconv_unnest-1.patch | - | Move nested function to a static one so we avoid generating a trampoline. |
localedef_segfault-1.patch | - | Fixes Segfault when using localdef. This problem is only noticed when using PaX and some architectures besides x86. See debian bug # 231438 |
pt_pax-1.patch | - | This is needed for Pax. http://pax.grsecurity.net/ |
strlcpy_strlcat-1.patch | - | http://www.courtesan.com/todd/papers/strlcpy.html |
Berkeley DB 4.5.20
Status: 1
fixes-1.patch | - | Fixes a couple of issues when trying to access databases through the Java API. |