You are not logged in.
- Topics: Active | Unanswered
#26 2013-12-01 11:03:35
- hunterthomson
- Member
- Registered: 2008-06-22
- Posts: 794
- Website
Re: -fPIC -fPIE why are they gone? No Arch simply has no ASLR support?
One think is for sure, no one but the user who installs software needs to have write permissions to the file-system `ls` is on.
Hay, I actually got a working install of Hardened Gentoo 
I tried a long time ago when I first decided to use grsecurity, but could not get it to boot. That modprobed-db in the aur is super handy. I just went through plugging everything I have into my laptop, mounting loop devices and all that stuff. Then enabled all IPv4 & IPv6 and basically all networking stuff, but don't need ATM 
And, well I still spent like 3 hours going through the config, but it only took 7 mins to build instead of ~50mins.
There is some weirdness going on over in Gentoo though. Like, they don't want to moved to Systemd, so like it's the shaky ground of what is supported and what is not. I went with the OpenRC init because the docs were.. well they had docs. I kind of think ether way I would feel like I made a bad choice, but going all Hardened and stuff I felt/guessed that I'd get the best support with OpenRC.
Anyway, I have it installed on another lv so now I have a dual Arch/Gentoo setup. I think I'll leave my servers Arch until I get use to the Gentoo stuff.
There is this Lilblue / Hardened uClibc project that just started. It is very interesting. I think after I bork this install of Gentoo I may test that out. uClibc is what embedded Linux normally uses, but it just got a native POSIX thread library so they could fully harden the toolchain. Lilblue is using it as a glibc replacement and not trying to build a small or embedded OS. It looks very interesting.
Their seem to be a lot of job's developing embedded Linux. It may be a fun way to learn one the tools used.
Last edited by hunterthomson (2013-12-01 11:05:09)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
#27 2013-12-02 02:52:17
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,132
Re: -fPIC -fPIE why are they gone? No Arch simply has no ASLR support?
One think is for sure, no one but the user who installs software needs to have write permissions to the file-system `ls` is on.
Surely that is true for all binaries installed system-wide?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
#28 2013-12-02 05:33:10
- hunterthomson
- Member
- Registered: 2008-06-22
- Posts: 794
- Website
Re: -fPIC -fPIE why are they gone? No Arch simply has no ASLR support?
I'm happy to hear that everything ells I have said is so undeniably true the only thing you can even begin to question is the value of a hierarchical directory structure
Well, I'm sure I'll give Gentoo another shot some other time, but *uk that. Sure, I have no doubt that it would be noticeable more resistant to exploitation using ASLR. However, my confidence in the system staying operational would not be anywhere as close to my confidence in Arch staying operational. I am 100% sure it would become unusable in a very short period of time. In other words, it would be less secure.
Plus, I simply don't have time to keep track of each USE flag twenty or so packages needs. Once Gentoo has realized that Systemd is your only choice I'll try it again.
Last edited by hunterthomson (2013-12-02 05:37:08)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline