View previous topic :: View next topic |
Author |
Message |
El_Goretto Moderator
Joined: 29 May 2004 Posts: 3169 Location: Paris
|
Posted: Tue May 28, 2013 11:19 am Post subject: [hardened] Alternatives to glibc? |
|
|
Hi,
I've been quite happy with my current gentoo "hardened" setup/profile for a while now. I even switched from udev to mdev with success.
So I'm now looking for some other challenge, like: is is possible to switch from glibc to another libc library, on a machine with hardened profile and toolchain (SSP and PIE stuff)?
I'm thinking of dietlibc or uclibc.
--
edit: really comforting: http://www.gentoo.org/proj/en/hardened/uclibc/index.xml
Has anyone tried uclibc?
Because uclibc is explicitly masked on hardened profile and use flag. _________________ -TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT) |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue May 28, 2013 11:36 am Post subject: |
|
|
I gave it a short try in a chroot, but did not deploy the build.
In a nutshell, the core system and server services seem to work fine - but I wanted it for my notebook, I ran into some issues when moving towards a DE.
Also, it does not support multilib (bye bye proprietary packages), - main reason for my trouble - some (at least in my case) essential packages have trouble with uclibc (iirc mit-krb5, icedtea).
ATM, I stopped my experiment due to lack of time.
edit - I am not sure, if you can switch the libc without major breakage. I guess a clean install may be a faster and safer approach. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
El_Goretto Moderator
Joined: 29 May 2004 Posts: 3169 Location: Paris
|
Posted: Tue May 28, 2013 11:54 am Post subject: |
|
|
Thank you for you feedback Veldrin.
I'm not running proprietary software nor DE, but icedtea could be problematic (I2P software there).
I just saw a hardened/linux/uclibc/amd64 profile. Switching to it without reinstalling from scratch is so tempting ^^
That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly". _________________ -TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT) |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue May 28, 2013 12:14 pm Post subject: |
|
|
El_Goretto wrote: | That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly". |
El_Goretto ... you won't be able to do this, swaping out glibc with uclibc would cause similar issues to changing CHOST. However, there are stage3's in 'experimental' and there is a project page.
best ... khay |
|
Back to top |
|
|
xaviermiller Bodhisattva
Joined: 23 Jul 2004 Posts: 8706 Location: ~Brussels - Belgique
|
Posted: Tue May 28, 2013 12:22 pm Post subject: |
|
|
It will be worse than changing CHOST since libc will be replaced with an incompatible other. _________________ Kind regards,
Xavier Miller |
|
Back to top |
|
|
El_Goretto Moderator
Joined: 29 May 2004 Posts: 3169 Location: Paris
|
Posted: Tue May 28, 2013 12:44 pm Post subject: |
|
|
I'm not so sure.
Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries. _________________ -TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT) |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue May 28, 2013 12:50 pm Post subject: |
|
|
El_Goretto wrote: | I'm not so sure. Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries. |
El_Goretto ... glibc isn't slotted, so its replaced, but as its mostly backward compatable there is far less chance of some library mismatch (though updating a major glibc revision could also cause issues). This is not true of uclibc, its an entirely different library. That said its not something I've attempted, but your more than likely to have issues.
best ... khay |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Tue May 28, 2013 2:03 pm Post subject: Always big is bad? |
|
|
Is this because of Quote: | Ilja van Sprundel did recommend using dietlibc or uClibc over glibc, which he found to be "super bloated" | discussed at:
http://www.phoronix.com/scan.php?page=news_item&px=MTM3ODA
Really always BIG is BAD ?
Not a programmer but having the choice:
If I could (re-)use the functions of a big fat glibc, or
using "dietlibc" but missing some functions I would self construct,
wouldn't my program be more secure and performant using the big fat glibc?
Isn't this sentence of Ilja van Sprundel just FUD? |
|
Back to top |
|
|
El_Goretto Moderator
Joined: 29 May 2004 Posts: 3169 Location: Paris
|
Posted: Tue May 28, 2013 2:42 pm Post subject: |
|
|
Ok, thanks for your answers everyone.
@ulenrich: Given the security of a program is the security of the libraries it uses too, no. If not, then, I would recommand reconsider programming
This fellow is abolutly not the only one having something to say about glibc. I attended a security conference last year (SSTIC 2012/France, but I can't find the name of the guy), he said almost exactly the same thing (to an extend I wonder if they didn't worked together at least). _________________ -TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT) |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue May 28, 2013 8:00 pm Post subject: |
|
|
You could give sys-libs/musl a try. From looking at the ebuild it seems like you have to cross-compile if you want it as system libc, but it definitely seems possible. |
|
Back to top |
|
|
El_Goretto Moderator
Joined: 29 May 2004 Posts: 3169 Location: Paris
|
Posted: Mon Jul 01, 2013 4:55 pm Post subject: |
|
|
If anyone has a relevant opinion about this, I was wondering if reporting bugs related to the hardened/uclibc profile (flagged as experimental) in the standard gentoo bugzilla was the best way to go? _________________ -TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT) |
|
Back to top |
|
|
|