r145 - in trunk/text: chapter01 chapter03 chapter06 chapter07

robert at linuxfromscratch.org robert at linuxfromscratch.org
Fri Feb 4 16:26:14 PST 2005


Author: robert
Date: 2005-02-04 17:26:14 -0700 (Fri, 04 Feb 2005)
New Revision: 145

Modified:
   trunk/text/chapter01/changelog.txt
   trunk/text/chapter03/patches.txt
   trunk/text/chapter06/56-syslog-ng.txt
   trunk/text/chapter06/57-sysvinit.txt
   trunk/text/chapter06/58-tar.txt
   trunk/text/chapter06/60-paxctl.txt
   trunk/text/chapter06/61-stripping.txt
   trunk/text/chapter07/10-kernel.txt
Log:
upgraded grsecurity, plus updates

Modified: trunk/text/chapter01/changelog.txt
===================================================================
--- trunk/text/chapter01/changelog.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter01/changelog.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -45,5 +45,6 @@
 
 February 4rth, 2005 [Robert]
 Added several hardened_cflags patches. Added a note about the blowfish-passwords
-hint for shadow-utils.
+hint for shadow-utils. New grsecurity patch, they switched to the 'as' kernel
+tree. Added as3 kernel tree patch.
 

Modified: trunk/text/chapter03/patches.txt
===================================================================
--- trunk/text/chapter03/patches.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter03/patches.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -22,17 +22,17 @@
 http://www.linuxfromscratch.org/patches/downloads/hlfs/glibc-2.3.4-fstack_protector-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/glibc-2.3.4-pt_pax-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/glibc-2.3.4-ssp_frandom-6.patch
-http://www.grsecurity.net/grsecurity-2.1.0-2.6.10-200501081640.patch
+http://grsecurity.net/grsecurity-2.1.1-2.6.10-as2-200501242254.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/inetutils-1.4.2-kernel_headers-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/inetutils-1.4.2-no_server_man_pages-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/iproute2-2.6.9_ss040831-find_update-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/iproute2-2.6.9_ss040831-remove_db-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/lfs-bootscripts-3.1.0-hlfs-2.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/linux-2.6.10-frandom-1.patch
-http://www.grsecurity.net/linux-2.6.10-secfix-200501071130.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/linux-libc-headers-2.6-frandom-2.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/mktemp-1.5-add_tempfile-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/module-init-tools-3.1-nostatic-1.patch
+http://www.acm.rpi.edu/~dilinger/patches/2.6.10/as3/patch-2.6.10-as3.gz
 http://www.linuxfromscratch.org/patches/downloads/hlfs/perl-5.8.6-libc-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/perl-5.8.6-uClibc-1.patch
 http://www.linuxfromscratch.org/patches/downloads/hlfs/procps-3.2.4-hardened_cflags-1.patch

Modified: trunk/text/chapter06/56-syslog-ng.txt
===================================================================
--- trunk/text/chapter06/56-syslog-ng.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter06/56-syslog-ng.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -1,10 +1,15 @@
 - Chapter 6 - Syslog-ng 1.6.5
 
 # We are using syslog-ng's privilege drop, so it will run as an unprivileged
-# user.
+# user. Users and groups numbered under 100 are typically system users,
+# although they have no different privileges than other users. Inviting/adding
+# this user to other groups, such as group daemon, would only increase this
+# user's privileges. So it is suggested this user is only a member of their own
+# dedicated group.
 
-groupadd syslog &&
-useradd -g syslog -s /sbin/nologin -d /var/log -c 'Syslog daemon' syslog
+groupadd -g 25 syslog &&
+useradd -u 25 -g syslog -s /sbin/nologin \
+	-d /var/log -c 'Syslog daemon' syslog
 
 # Syslog-ng likes to have its own directory in /etc, but its only for one
 # file. This command will get rid of the syslog-ng sub-directory in /etc
@@ -20,6 +25,7 @@
 
 # Then build and install Syslog-ng.
 
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i src/Makefile.in &&
 ./configure --prefix=/usr --sysconfdir=/etc &&
 make &&
 make install
@@ -27,10 +33,14 @@
 # The syslog user will need permission to write to the logs. They must be
 # created in advance.
 
-touch /var/log/{auth,cron,daemon,kern,lpr,mail,news,syslog}.log &&
-touch /var/log/{user,uucp,local,critical,alert,emergency,messages}.log &&
-chown syslog /var/log/{auth,cron,daemon,kern,lpr,mail,news,syslog}.log &&
-chown syslog /var/log/{user,uucp,local,critical,alert,emergency,messages}.log
+touch /var/log/{auth,critical,cron,daemon,messages,syslog,user}.log &&
+chmod 600 /var/log/{auth,critical,cron,daemon,messages,syslog,user}.log &&
+chown syslog:syslog \
+	/var/log/{auth,critical,cron,daemon,messages,syslog,user}.log &&
+touch /var/log/{alert,emergency,kern,local,lpr,mail,news,uucp}.log &&
+chmod 644 /var/log/{alert,emergency,kern,local,lpr,mail,news,uucp}.log &&
+chown syslog:syslog \
+	/var/log/{alert,emergency,kern,local,lpr,mail,news,uucp}.log
 
 # Then create a config file for Syslog-ng. Please note some configurations
 # log everything to /dev/tty12. If you wish to do this then /var/log/dev

Modified: trunk/text/chapter06/57-sysvinit.txt
===================================================================
--- trunk/text/chapter06/57-sysvinit.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter06/57-sysvinit.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -8,7 +8,8 @@
 
 sed -i 's at Sending processes@& started by init at g' \
     src/init.c &&
-make -C src CC="gcc -pie -fPIE" &&
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i src/Makefile &&
+make -C src &&
 make -C src install
 
 # Then create a configuration file.

Modified: trunk/text/chapter06/58-tar.txt
===================================================================
--- trunk/text/chapter06/58-tar.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter06/58-tar.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -1,6 +1,6 @@
 - Chapter 6 - Installing Tar 1.15.1
 
-env CC="gcc -pie -fPIE" \
+sed -e 's/^CFLAGS .*$/& -pie -fpie/' -i {rmt,src}/Makefile.in &&
 ./configure --prefix=/usr --bindir=/bin \
 	--libexecdir=/usr/sbin ${disable_nls} &&
 make

Modified: trunk/text/chapter06/60-paxctl.txt
===================================================================
--- trunk/text/chapter06/60-paxctl.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter06/60-paxctl.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -7,7 +7,7 @@
 
 # There are currently only two programs known to need this. Grub uses
 # anonymous mapping and will be killed by PaX. The following command changes
-# Grub's flags so PaX will allow it to execute anonymous pages.
+# Grub's PaX flags.
 
 paxctl -spm /usr/sbin/grub
 

Modified: trunk/text/chapter06/61-stripping.txt
===================================================================
--- trunk/text/chapter06/61-stripping.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter06/61-stripping.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -11,7 +11,7 @@
 	PATH=/bin:/usr/bin:/sbin:/usr/sbin \
 	/tools/bin/bash --login
 
-# Strip the libraries. Remember, stripping unneeded or all from libraries
+# Strip the libraries. Remember, stripping 'unneeded' or 'all' from libraries
 # will destroy them.
 
 /tools/bin/find /{,usr}/lib -type f \

Modified: trunk/text/chapter07/10-kernel.txt
===================================================================
--- trunk/text/chapter07/10-kernel.txt	2005-02-04 19:09:44 UTC (rev 144)
+++ trunk/text/chapter07/10-kernel.txt	2005-02-05 00:26:14 UTC (rev 145)
@@ -19,25 +19,31 @@
 ln -s linux-2.6.10 /usr/src/linux
 
 # Install any patches for the Linux kernel to /usr/src so you can remember
-# which patches and versions are being used.
+# which patches and versions are being used. Grsecurity patches against the
+# 'as' kernel tree.
 
-# The linux-2.6.10-security_fix-1.patch in LFS is included as part of the
-# grsecurity patch.
-
 install -m444 /sources/hlfs-packages/linux-2.6.10-frandom-1.patch /usr/src &&
 install -m444 \
-	/sources/hlfs-packages/grsecurity-2.1.0-2.6.10-200501081640.patch \
+	/sources/hlfs-packages/patch-2.6.10-as3.gz /usr/src &&
+gunzip /usr/src/patch-2.6.10-as3.gz &&
+install -m444 \
+	/sources/hlfs-packages/grsecurity-2.1.1-2.6.10-as2-200501242254.patch \
 	/usr/src
-install -m444 /sources/hlfs-packages/linux-2.6.10-secfix-200501071130.patch \
-	/usr/src
 
 # Then change to the Linux source directory and apply the patch.
 
 cd /usr/src/linux &&
 patch -Np1 -i ../linux-2.6.10-frandom-1.patch &&
-patch -Np1 -i ../grsecurity-2.1.0-2.6.10-200501081640.patch &&
-patch -Np1 -i ../linux-2.6.10-secfix-200501071130.patch
+patch -Np1 -i ../patch-2.6.10-as3
 
+# This grsecurity patch is made for as2, and we are using as3. One hunk will
+# fail because of a trivial problem. This sed will fix the grsecuriy patch to
+# work with as3. The results will be correct using this:
+
+sed -e 's/EXTRAVERSION = -as2/EXTRAVERSION = -as3/' \
+	-e 's/NAME=Woozy Numbat + fixes/NAME=Rocket/' \
+	../grsecurity-2.1.1-2.6.10-as2-200501242254.patch | patch -Np1
+
 # Tip:
 # Look at 'info libc', 'System Configuration', 'General Limits'. There are
 # descrptions of values that can be hardcoded in include/linux/limits.h.




More information about the hlfs-dev mailing list