stupid newbie question

Robert Connolly robert at linuxfromscratch.org
Sat Jul 23 12:41:15 PDT 2005


On July 23, 2005 02:17 pm, Jaap Struyk wrote:
> ...
> I'am sorry for misleading you, I ment it for usage after the hlfs build.
> Since going beyond hlfs is yust starting I was hoping on an easy way for
> adding those options to other packages. (and if an particilary package
> would fail to remove them for that one)

With the hardened_specs.sh script in chapter 5's gcc pass2, 
-fstack-protector-all will always be used unless you use 
-fno-stack-protector. Only a handfull of software, like parts of glibc, xorg, 
and arts, will need -fno-stack-protector. Using -fpie isn't actually 
necessary. -fpie is mainly usefull if you use -finline-functions or -O3. 
-fpie will let position independent programs run a little bit faster, 
compared to using -fpic. With the hardened_specs.sh script -fpic is used on 
everything unless -pie is used. So we use -pie and -fpie together, which is 
how the gcc man page suggests too. This page:
http://www.linuxfromscratch.org/hlfs/view/unstable/glibc/chapter02/pie.html
explains this a bit more.

If you build a library with -fpie it may or may not work. Shared libraries 
(.so files) should always be position independent, compiled with -fpic and 
not -fpie. Static libraries (.a files) don't need -fpic, but it doesn't hurt 
(they will run a little bit slower). Its a good idea for us to build static 
libraries with -fpic because some software links static libraries directly 
into the program executable. If you build a library with -fpie it will not be 
position independent, it will be miscompiled.

> > > Another thing, do I need grsecurity/pax in the kernel?
> >
> > You don't have to. You can use other patches, or vanilla, if you want.
> > The grsecurity patch has a lot of nice optional features that don't
> > reduce performance much, so I'm not sure why you wouldn't want to use it.
>
> I noticed some cool things in there, particaly for chrooted things. (and
> a lot more I don't understand)
> It's a bit to much for me building and setting up my new server and also
> looking into grsec at the same time, so I was planning on looking in
> that later on.

All the position independent stuff isn't a security benefit without kernel 
features. Either PaX, exe-shield, randomized prelinking, or w^x. PaX is the 
best of these. All the PaX options can be enabled, but read the help on the 
kernel page in the book. But if you compiled some of your libraries with 
-fpie then they probably will not work with a PaX enabled kernel.

> Apart from that, it will also replace my freevo box so it will do some
> heavy multimedia things and I have no clue or grsec is alowing all of
> that.
> I started with a 2.6.11.12-grsec-supermount-psuedo_random kernel, but
> both ivtv and nvidia failed to build so it has to wait a little.

I have built a complete desktop, with kde and multimedia, with almost all the 
grsecurity and pax options, using glibc. It should be fine. Unzip and zip 
need tweaking to disable assembly, and kde-multimedia and some others need 
tweaking to --disable-mmx.

robert



More information about the hlfs-dev mailing list