Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
USE=hardened breaks XOrg server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
setagllib
n00b
n00b


Joined: 15 Dec 2004
Posts: 53

PostPosted: Wed Dec 15, 2004 8:40 am    Post subject: USE=hardened breaks XOrg server Reply with quote

Is this normal? I have two Gentoo rigs here, both with hardened in USE, and on neither of them did the XOrg server work (a duplicate symbol, __i686.get_pc_thunk.bx, in libbitmap.a), but removing hardened allowed one end to work (the other needs every drop of security it can get).

Does this only happen if you compile xorg-x11 with hardened, or do glibc and/or gcc affect it? I still want more security (short of running NetBSD again, which I've found to be too inconvenient without nvidia drivers) but living without X these days is pretty tough.

By the way, this is a great set of forums, I can see why Gentoo gets all the attention and progress it does. Keep it up all.
_________________
My other computer is your Windows box.
Back to top
View user's profile Send private message
curtis119
Bodhisattva
Bodhisattva


Joined: 10 Mar 2003
Posts: 2160
Location: Phoenix, AZ USA, North America, Earth, SOL System, Milky Way, The Universe, The Cosmos, and Beyond.

PostPosted: Wed Dec 15, 2004 7:06 pm    Post subject: Reply with quote

There is a well known bug in the module loader that is causing this problem on hardened systems (if this is the same problem). There are several workarounds for it described in the bug report:

https://bugs.gentoo.org/show_bug.cgi?id=43177

Basically it boils down to X module loader not being able to be built with -pie and -pic (the bug report is looong so I may be wrong about these details). You can manually patch xorg-x11-6.8.0 to make it work but the latest version has this fix already included. xorg-x11-6.8.0-r4. This version is hard masked at the moment but *should* work. It also requires the masked version of opengl-update.
To emerge a hard masked package put it in your /etc/portage/package.unmask file(if you don't have this file just create it):

Code:

=x11-base/opengl-update-2.0_pre1
=xorg-x11-6.8.0-r4


and then

Code:

emerge =x11-base/xorg-x11-6.8.0-r4


This should allow use of the nvidia driver.
-------

Another option is to build xorg statically, this way you don't have to use the hard masked version of xorg which is ALWAYS preferable.

Code:
USE="static" emerge xorg-x11


I'm not sure if this will preclude using the nvidia driver or not but it's worth a try.

The official how to for hardened xorg is here:
http://www.gentoo.org/proj/en/hardened/hardenedxorg.xml

you can get more help on the irc channel on freenode (www.freenode.org): #gentoo-hardened

The devs there should be able to explain this in more detail and confirm/refute what I have stated here.

Good Luck!
_________________
Gentoo: it's like wiping your ass with silk.
Back to top
View user's profile Send private message
dbw6993
n00b
n00b


Joined: 09 Jul 2005
Posts: 1

PostPosted: Sat Jul 09, 2005 10:25 pm    Post subject: Xorg broken: non-hardened system Reply with quote

Is anyone else experiencing the libbitmap.a duplicate symbols issue who is NOT running a hardened setup? I noticed gcc was included in my last world update, but I have confirmed it was not emerged with the hardened USE flag. Has something in gcc changed that is causing this Xorg issue for everyone?
Back to top
View user's profile Send private message
tuxmin
l33t
l33t


Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg

PostPosted: Sun Jul 10, 2005 11:52 am    Post subject: Reply with quote

The main point of the hardened profile is that your toolchain (binutils, gcc, glibc) provides transparent support for stack smashing protection (SSP), position independant code (PIC) and position independant executables (PIE).
There are some apps that won't work with this, e.g. xorg. But I thought the hardened profile takes care of this.
You might want to recompile your whole system using the hardened profile and then use chpax to disable all PaX features on xorg if you use a grsec kernel.
Even better, emerge "rc-update -a chpax" and let Gentoo do the work for you.

Read here for details.


Hth, Alex!!!
_________________
ALT-F4
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Tue Jul 12, 2005 7:31 pm    Post subject: Re: Xorg broken: non-hardened system Reply with quote

dbw6993 wrote:
Is anyone else experiencing the libbitmap.a duplicate symbols issue who is NOT running a hardened setup?

I am running into this now. xorg-x11-6.8.2-r2 was available some time ago (via emerge -up world) so I emerged it. But since I haven't rebooted my machine until today (thanks to my baby's curiosity w/ the reset button), I'm experiencing this error for the first time now.

I am not running the hardened setup (of gentoo, xorg, nor gcc).
My CFLAGS does contain "-DPIC -fPIC" (among other things).

The snippet from /var/log/Xorg.0.log is:
Code:
(II) Loader running on linux
(II) LoadModule: "bitmap"
(II) Loading /usr/lib/modules/fonts/libbitmap.a
Duplicate symbol __i686.get_pc_thunk.bx in /usr/lib/modules/fonts/libbitmap.a:bitmapmod.o
Also defined in /usr/lib/modules/fonts/libbitmap.a

Fatal server error:
Module load failure


I'd appreciate any suggestions.
Back to top
View user's profile Send private message
neves
n00b
n00b


Joined: 29 Jan 2004
Posts: 9

PostPosted: Tue Jul 12, 2005 9:08 pm    Post subject: my solutiion Reply with quote

I don't use hardened and after emergeing the last version of xorg, it started to fail with this error. My solution was to recompile xorg without the -fPIC flag.
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Wed Jul 13, 2005 10:27 am    Post subject: Re: my solutiion Reply with quote

neves wrote:
I don't use hardened and after emergeing the last version of xorg, it started to fail with this error. My solution was to recompile xorg without the -fPIC flag.

Thanks for the response.
I followed another suggestion which was to emerge with USE="dlloader" and that seemed to work.
Back to top
View user's profile Send private message
kramerkeller
Apprentice
Apprentice


Joined: 20 Jun 2005
Posts: 179

PostPosted: Tue Jul 19, 2005 6:23 am    Post subject: Reply with quote

guys I have my CFLAGS set to -02 -march=pentium -fomit-frame-pointer

I don't have the fPIC flag, but when reemerging xorg (I am doing it with USE static? Hoping) I can see on the screen as it is scrolling down forever - a number of times I can see fPIC. So I don't know if that is my deal. I followed directions in gentoo handbook for new use flags. I did the newuse thing, dep clean, and dev-update or sometihng. THe point is I thought I was basically recompiling without the use flag hardened and I would be able to load the module finally without the above error you guys and I have been getting. However, still no go. I am HUGE newb. I need absolute direction - like what commands to type in. Gentoo has been great I can do tons of stuff, but my x server is down. (never had it working) If any of you can help me out that would be great. It looks like many of you have had the same frustration. Oh and what woudl the dllloader do? Should I do that even if I don't have hardened. Can I remove any trace ofr hardened. And is fPiC on mine even though its not any of my flags.
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Tue Jul 19, 2005 12:43 pm    Post subject: Reply with quote

What error(s) are you getting in /var/log/Xorg.0.log?
Did you try recompiling xorg-x11 with USE="dlloader"? Note that this is on the cmd line so it's used in combination to whatever you have in /etc/make.conf. ie:
Code:
~ $ USE="dlloader" emerge -av xorg-x11

Also, after re-compiling xorg, you should re-compile nvidia-kernel and nvidia-glx.
And after that, you may have to unload & reload the nvidia module via modprobe (or simply reboot).
I re-compiled xorg-x11 several times trying to fix this problem simply because my older nvidia driver was still loaded.
Back to top
View user's profile Send private message
kramerkeller
Apprentice
Apprentice


Joined: 20 Jun 2005
Posts: 179

PostPosted: Tue Jul 19, 2005 7:25 pm    Post subject: Reply with quote

I did the above USE="static" emerge xorg-x11. I had another post with 63 replys and over 1800 views and here is where I found the answer. LOL, I am using the vesa driver. I will do nvidia later, but now I am so happy after waiting 2 weeks. I have learned so much. It works, I am writing from KDe in Konqueror, I have yet to get firefox and stuff. What does USE="static" emerge xorg-x11 do? I seemed to fix everything. SOmetimes my monitor does something funny, but after I use nvidia and get everything set better in org file WHICH I NOW KNOW VERY WELL I am sure things will be fine. SO thanks and any explanation on USE="static" emerge xorg-x11 would be great.
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Tue Jul 19, 2005 10:44 pm    Post subject: Reply with quote

I'm glad it's working for you.
kramerkeller wrote:
What does USE="static" emerge xorg-x11 do?

That causes X to be linked statically--that is, not to dynamically load shared objects.
The nVidia driver should be easy; I never had a problem w/ it.

Good luck!
Back to top
View user's profile Send private message
PGDubbin
n00b
n00b


Joined: 06 Apr 2006
Posts: 55

PostPosted: Fri Apr 07, 2006 2:48 pm    Post subject: Reply with quote

I'm having this same issue now as well...

how will
Code:
#USE="static" emerge xorg-x11


effect:

Code:

#emerge --update --deep --newuse world
#emerge -p --depclean
#revdep-rebuild


....or will it not effect anything?

The reason I ask is because I'm working on a fresh gentoo install, I modifed all my USE flags, then checked the Handbook for x86 and that's what it suggested to run after the USE flags were defined to actually..well.."use" them.
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Sat Apr 08, 2006 2:41 am    Post subject: Reply with quote

PGDubbin wrote:
I'm having this same issue now as well...

That's odd; I haven't had the issue in a long time. I never used USE="static", and I was able to omit USE="dlloader" too. For me, xorg and the nvidia drivers build straight up now.
My USE flags which affect xorg are: bitmap-fonts font-server mmx nls opengl pam sse truetype-fonts type1-fonts xv.
And in particular, xorg-x11 builds w/out static or dlloader.

PGDubbin wrote:
how will
Code:
#USE="static" emerge xorg-x11

effect:
Code:

#emerge --update --deep --newuse world
#emerge -p --depclean
#revdep-rebuild

....or will it not effect anything?

Not sure if it will affect anything. I'd build the system w/out it and only use it if you have problems.
If you're going to employ USE="static" for xorg-x11, you should put it in /etc/portage/package.use.
Back to top
View user's profile Send private message
PGDubbin
n00b
n00b


Joined: 06 Apr 2006
Posts: 55

PostPosted: Sat Apr 08, 2006 3:30 am    Post subject: Reply with quote

Interestingly enough, I emerged with the USE="static" ...and fancy that - I'm replying to this post in fluxbox :P

when I insert a USE flag into /usr/portage/package.use that USE flag will only effect the package it's listed for, whereas make.conf does it for all packages...is this correct?

also, that file doesn't exist on my system, how i I properly add information to it once I create it?

(I'm learning here...)
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Sat Apr 08, 2006 6:19 am    Post subject: Reply with quote

PGDubbin wrote:
Interestingly enough, I emerged with the USE="static" ...and fancy that - I'm replying to this post in fluxbox :P

Glad to hear it.

PGDubbin wrote:
when I insert a USE flag into /usr/portage/package.use that USE flag will only effect the package it's listed for, whereas make.conf does it for all packages...is this correct?

Yes. That's one reason it's important to list package-specific flags in /etc/portage/package.use:
1. You do not want to specify certain USE flags for the entire system. ('static' is one of them.)
2. Specifying it on the command line (ie. USE="static" emerge -av xorg-x11) will not be remembered. So if you need (or really want) this USE flag and xorg-x11 has an update, you'll have to remember to specify the USE flag on the command line each time you build that package. It becomes a PITA--precisely what free software aims to overcome.

PGDubbin wrote:
also, that file doesn't exist on my system, how i I properly add information to it once I create it?
(I'm learning here...)

Search the emerge man page (man emerge) for some general guidance.
The portage man page describes the files in more detail including syntax and examples.
For your case:
Code:
x11-base/xorg-x11 static
Back to top
View user's profile Send private message
PGDubbin
n00b
n00b


Joined: 06 Apr 2006
Posts: 55

PostPosted: Sat Apr 08, 2006 6:42 am    Post subject: Reply with quote

done and done...

thanks a bunch...I've ran gentoo now for like 3 years or so...so I'm *somewhat* familure with navigating my way around, but i decided to rebuild my system from the ground up, bootstrap the install, and start running it a bit more streamline. Needless to say, its taking forever to get back running 100%, but, my computer is hauling some major ass vs before, and I've probably learned more in the past 7 days then all of last year :P
Back to top
View user's profile Send private message
homry
Tux's lil' helper
Tux's lil' helper


Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany

PostPosted: Fri Apr 14, 2006 11:43 am    Post subject: Reply with quote

saber850 wrote:

That's odd; I haven't had the issue in a long time.

just as an information from another user. this problem seems to exist further on. i just did an
Code:
emerge --newuse world
for the first time with the "hardened"flag and got this error for the first time.

saber850 wrote:

I never used USE="static", and I was able to omit USE="dlloader" too.

i will try, due to a couple of positive responses, to recompile xorg with USE=static, but i would be interested in a statement what is better to use. i do not have enough knowledge or experience to decide what is better to use. static or dlloader?

homry
_________________
IBM ThinkPad R51
Back to top
View user's profile Send private message
homry
Tux's lil' helper
Tux's lil' helper


Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany

PostPosted: Fri Apr 14, 2006 3:37 pm    Post subject: Reply with quote

unfortunetly, nothing help. neither USE=static, nor USE=dlload :(. with dlload i get the same error message and with static i get no error message, but the screen remains black and nothing works anymore except pulling the plug. i will try re-emerging xorg now with USE=-hardened =>/edit: ....which has no effect at all. xorg do not care about that flag. i will have to remove the hardened-flag from make.conf to get a working X at least.

homry
_________________
IBM ThinkPad R51
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Fri Apr 14, 2006 10:40 pm    Post subject: Reply with quote

homry wrote:
i will try, due to a couple of positive responses, to recompile xorg with USE=static, but i would be interested in a statement what is better to use. i do not have enough knowledge or experience to decide what is better to use. static or dlloader?

Unless you have a specific need or problem, it's ideal not to use either static or dlloader.
I'm not sure which version you're using which is causing these problems. I'm using xorg-x11-6.8.2-r6 if it helps.
Here's the verbose output from emerge -pv xorg-x11:
Code:
[ebuild   R   ] x11-base/xorg-x11-6.8.2-r6  -3dfx -3dnow +bitmap-fonts -cjk -debug -dlloader -dmx -doc +font-server -insecure-drivers -ipv6 -minimal +mmx +nls -nocxx +opengl +pam -sdk +sse -static +truetype-fonts +type1-fonts (-uclibc) -xprint +xv 0 kB
Back to top
View user's profile Send private message
homry
Tux's lil' helper
Tux's lil' helper


Joined: 01 Apr 2005
Posts: 146
Location: Karlsruhe, Germany

PostPosted: Sun Apr 16, 2006 12:40 am    Post subject: Reply with quote

as i said in my first posting, since i used the hardened-flag my x-server won't start anymore. so i searched the board and found this thread. so i did have a specific reason or problem. the problem is that neither the static-flag nor the dlloader-flag helped. so i ended up re-emergeing without the hardened-flag my glibc,gcc, etc. and re-emerged xorg. it is working now, but without the hardened-flag of course.

homry
_________________
IBM ThinkPad R51
Back to top
View user's profile Send private message
ali3nx
l33t
l33t


Joined: 21 Sep 2003
Posts: 634
Location: Winnipeg, Canada

PostPosted: Sun Apr 16, 2006 1:25 am    Post subject: Reply with quote

USE="hardened" with xorg requires both pic and dlloader flags or hardening will not work properly. All three flags must be set globally in make.conf and any and all affected applications recompiled so pic code is built. After which everything should work just peachy. I've played quake4 on hardened amd64 gentoo and the framerates are still very respectable.
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
saber850
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2004
Posts: 115
Location: NY

PostPosted: Sun Apr 16, 2006 2:09 am    Post subject: Reply with quote

ali3nx wrote:
USE="hardened" with xorg requires both pic and dlloader flags or hardening will not work properly. All three flags must be set globally in make.conf and any and all affected applications recompiled so pic code is built. After which everything should work just peachy.

~18 months ago I enabled the PIC flag and rebuilt one of my Gentoo systems. With the PIC flag enabled, I would periodically run into build problems w/ some packages. After ~ 3-4 months of problems (albeit relatively infrequent) which were caused by the PIC flag (as suggested on Gentoo's forums and confirmed by a rebuild), I followed several suggestions to leave the PIC flag out. None of my Gentoo systems currently use the PIC flag.
Although this experience was a while ago, the popular vote was to stay away from enabling the PIC flag globally.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum