r144 - in trunk/text: . chapter01 chapter03 chapter06

robert at linuxfromscratch.org robert at linuxfromscratch.org
Fri Feb 4 11:09:44 PST 2005


Author: robert
Date: 2005-02-04 12:09:44 -0700 (Fri, 04 Feb 2005)
New Revision: 144

Modified:
   trunk/text/README.txt
   trunk/text/chapter01/changelog.txt
   trunk/text/chapter03/patches.txt
   trunk/text/chapter06/33-texinfo.txt
   trunk/text/chapter06/45-gzip.txt
   trunk/text/chapter06/47-man.txt
   trunk/text/chapter06/48-make.txt
   trunk/text/chapter06/49-module-init-tools.txt
   trunk/text/chapter06/50-patch.txt
   trunk/text/chapter06/51-procps.txt
   trunk/text/chapter06/52-psmisc.txt
   trunk/text/chapter06/53-shadow.txt
   trunk/text/chapter06/54-util-linux.txt
Log:
More fpie additions, blowfish hint too

Modified: trunk/text/README.txt
===================================================================
--- trunk/text/README.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/README.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,5 +1,5 @@
-Hardened Linux From Scratch - 20050203
-February 3rd, 2005
+Hardened Linux From Scratch - 20050204
+February 4rth, 2005
 
 - Who willed you? or whose will stands but mine?
   There's none protector of the realm but I.
@@ -19,6 +19,9 @@
      (Binutils PIE patch. This is now part of bintuils-2.15*)
      http://frandom.sourceforge.net/ (Frandom Homepage)
 
+LFS-6.0+, or HLFS-0.1+, are the prerequisite for the host system. Other
+systems may work but are not supported.
+
 We have two C libraries to choose from now. Glibc is very widely supported,
 stable, and fast. uClibc is designed for embedded systems, it is very small
 and is supported by most software. Both Libc's support all of the above
@@ -40,7 +43,8 @@
 Syslog-ng is using privilege seperation now. Logs are owned by user 'syslog'.
 
 See chapter02/pie.txt for info about 'ld -pie' and 'gcc -fpie'. -fpie is
-added to most (or all) programs in the book.
+added to most (or all) programs in the book; this is not a replacement to
+the hardened-specs for gcc, it is in addition.
 
 If you plan to use Iptables with Grsecurity go to:
 http://www.grsecurity.net/download.php

Modified: trunk/text/chapter01/changelog.txt
===================================================================
--- trunk/text/chapter01/changelog.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter01/changelog.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -43,3 +43,7 @@
 February 2nd, 2005 [Robert]
 Added fpie patches for Binutils and GCC.
 
+February 4rth, 2005 [Robert]
+Added several hardened_cflags patches. Added a note about the blowfish-passwords
+hint for shadow-utils.
+

Modified: trunk/text/chapter03/patches.txt
===================================================================
--- trunk/text/chapter03/patches.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter03/patches.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -35,12 +35,14 @@
 http://www.linuxfromscratch.org/patches/downloads/hlfs/module-init-tools-3.1-nostatic-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/perl-5.8.6-libc-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/perl-5.8.6-uClibc-1.patch
+http://www.linuxfromscratch.org/patches/downloads/hlfs/procps-3.2.4-hardened_cflags-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/readline-5.0-fixes-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/shadow-4.0.7-uClibc-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/uClibc-0.9.27-config-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/uClibc-0.9.27-ssp-2.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/util-linux-2.12q-fPIC-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/util-linux-2.12q-cramfs-1.patch
+http://www.linuxfromscratch.org/patches/downloads/hlfs/util-linux-2.12q-hardened_cflags-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/util-linux-2.12q-nologin-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/vim-6.3-security_fix-1.patch
 

Modified: trunk/text/chapter06/33-texinfo.txt
===================================================================
--- trunk/text/chapter06/33-texinfo.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/33-texinfo.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,6 +1,7 @@
 - Chapter 6 - Texinfo 4.8
 
-sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i {info,makeinfo,util}/Makefile.in &&
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' \
+	-i {info,makeinfo,util}/Makefile.in &&
 ./configure --prefix=/usr ${disable_nls} &&
 make
 

Modified: trunk/text/chapter06/45-gzip.txt
===================================================================
--- trunk/text/chapter06/45-gzip.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/45-gzip.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,9 +1,7 @@
 - Chapter 6 - Installing Gzip 1.3.5
 
-# See chapter 5's Gzip page for an explanation to the DEFS variable.
-
-env DEFS=NO_ASM CC="gcc -pie -fPIE" \
-./configure --prefix=/usr ${disable_nls} &&
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i Makefile.in &&
+env DEFS=NO_ASM ./configure --prefix=/usr ${disable_nls} &&
 sed -i 's@"BINDIR"@/bin at g' gzexe.in &&
 make &&
 make install &&

Modified: trunk/text/chapter06/47-man.txt
===================================================================
--- trunk/text/chapter06/47-man.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/47-man.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -3,15 +3,22 @@
 sed -i 's at -is@&R at g' configure &&
 sed -i 's at MANPATH./usr/man@#&@g' src/man.conf.in
 
+# This will add CFLAGS to the top of the src makefile, since it has no default
+# CFLAGS.
+
+sed -e '1,0s/^/CFLAGS+=-pie -fpie\n&/' -i src/Makefile.in
+
+# This will append -fpie to the CFLAGS in the man2html directory.
+
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i man2html/Makefile.in
+
 # "+lang none" is like --disable-nls. If you want to disable native language
-# support use this command.
+# support use this command (like for uClibc).
 
-CC="gcc -pie -fPIE" \
 ./configure -confdir=/etc +lang none
 
-# Else use this one.
+# Else use this one (like for Glibc).
 
-CC="gcc -pie -fPIE" \
 ./configure -confdir=/etc
 
 # Then make Man.

Modified: trunk/text/chapter06/48-make.txt
===================================================================
--- trunk/text/chapter06/48-make.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/48-make.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,6 +1,6 @@
 - Chapter 6 - Installing Make 3.80
 
-env CC="gcc -pie -fPIE" \
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i Makefile.in &&
 ./configure --prefix=/usr ${disable_nls} &&
 make
 

Modified: trunk/text/chapter06/49-module-init-tools.txt
===================================================================
--- trunk/text/chapter06/49-module-init-tools.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/49-module-init-tools.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,6 +1,9 @@
 - Chapter 6 - Module-Init-Tools 3.1
 
+# This patch removes insmod.static, it is not needed on modern Linux systems.
+
 patch -Np1 -i ../module-init-tools-3.1-nostatic-1.patch &&
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i Makefile.in &&
 ./configure --prefix="" --enable-zlib ${disable_nls} &&
 make DOCBOOKTOMAN=""
 

Modified: trunk/text/chapter06/50-patch.txt
===================================================================
--- trunk/text/chapter06/50-patch.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/50-patch.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,6 +1,6 @@
 - Chapter 6 - Patch 2.5.9
 
-env CC="gcc -pie -fPIE" \
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i Makefile.in &&
 ./configure --prefix=/usr ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter06/51-procps.txt
===================================================================
--- trunk/text/chapter06/51-procps.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/51-procps.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,5 +1,6 @@
 - Chapter 6 - Installing Procps 3.2.4
 
+patch -Np1 -i ../procps-3.2.4-hardened_cflags-1.patch &&
 make &&
 make install
 

Modified: trunk/text/chapter06/52-psmisc.txt
===================================================================
--- trunk/text/chapter06/52-psmisc.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/52-psmisc.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,6 +1,6 @@
 - Chapter 6 - Installing Psmisc 21.5
 
-env CC="gcc -pie -fPIE" \
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i src/Makefile.in &&
 ./configure --prefix=/usr --exec-prefix="" \
 	${disable_nls} &&
 make &&

Modified: trunk/text/chapter06/53-shadow.txt
===================================================================
--- trunk/text/chapter06/53-shadow.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/53-shadow.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -1,11 +1,16 @@
 - Chapter 6 - Installing Shadow 4.0.7
 
+# If you want to use blowfish passwords then read this hint:
+# http://www.linuxfromscratch.org/hints/downloads/files/blowfish-passwords.txt
+# And remember to use --disable-static when installing libxcrypt.
+
 # This patch is needed for uClibc.
 
 patch -Np1 -i ../shadow-4.0.7-uClibc-1.patch
 
 #
 
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i src/Makefile.in &&
 ./configure --libdir=/lib --enable-shared \
 	--disable-static ${disable_nls} &&
 sed -i 's/groups$(EXEEXT) //' src/Makefile &&
@@ -13,9 +18,9 @@
 make &&
 make install &&
 install -m644 etc/{limits,login.access} /etc &&
-sed -e's@#MD5_CRYPT_ENAB.no at MD5_CRYPT_ENAB yes@' \
+sed -e 's@#MD5_CRYPT_ENAB.no at MD5_CRYPT_ENAB yes@' \
 	-e 's@/var/spool/mail@/var/mail@' \
-	< etc/login.defs.linux > etc/login.defs.new &&
+	etc/login.defs.linux > etc/login.defs.new &&
 install -m644 etc/login.defs.new /etc/login.defs &&
 mv /usr/bin/passwd /bin &&
 rm /lib/libshadow.so &&

Modified: trunk/text/chapter06/54-util-linux.txt
===================================================================
--- trunk/text/chapter06/54-util-linux.txt	2005-02-04 08:08:45 UTC (rev 143)
+++ trunk/text/chapter06/54-util-linux.txt	2005-02-04 19:09:44 UTC (rev 144)
@@ -17,9 +17,13 @@
 
 patch -Np1 -i ../util-linux-2.12q-nologin-1.patch
 
-# Configure make make util-linux.
+# Configure util-linux.
 
-./configure &&
+patch -Np1 -i ../util-linux-2.12q-hardened_cflags-1.patch &&
+./configure
+
+# Add "DISABLE_NLS=yes" to disable native language support.
+
 make HAVE_KILL=yes HAVE_SLN=yes
 
 # Then install util-linux.
@@ -29,5 +33,5 @@
 # The /sbin/nologin program can read /etc/nologin.txt to display the message
 # in it. If this file does not exist it will use a hardcoded message instead.
 
-echo "This account is currently not available." > /etc/nologin.txt
+echo "This account is not available." > /etc/nologin.txt
 




More information about the hlfs-dev mailing list