Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[hardened] Alternatives to glibc?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2862
Location: Paris

PostPosted: Tue May 28, 2013 11:19 am    Post subject: [hardened] Alternatives to glibc? Reply with quote

Hi,

I've been quite happy with my current gentoo "hardened" setup/profile for a while now. I even switched from udev to mdev with success.
So I'm now looking for some other challenge, like: is is possible to switch from glibc to another libc library, on a machine with hardened profile and toolchain (SSP and PIE stuff)?

I'm thinking of dietlibc or uclibc.

--
edit: really comforting: http://www.gentoo.org/proj/en/hardened/uclibc/index.xml
Has anyone tried uclibc?
Because uclibc is explicitly masked on hardened profile and use flag.
_________________
-PC: 2500K/P8Z68V, 8Go DDR3 1600 1.35V, R9-290, ARC1220+5xWD500RE3, M4 256Go
-Home servers (hardened): µ-serv N40L, 2Go ECC + NF9D-2700, 4Go
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RDNU2000
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1942
Location: Zurich, Switzerland

PostPosted: Tue May 28, 2013 11:36 am    Post subject: Reply with quote

I gave it a short try in a chroot, but did not deploy the build.
In a nutshell, the core system and server services seem to work fine - but I wanted it for my notebook, I ran into some issues when moving towards a DE.

Also, it does not support multilib (bye bye proprietary packages), - main reason for my trouble - some (at least in my case) essential packages have trouble with uclibc (iirc mit-krb5, icedtea).
ATM, I stopped my experiment due to lack of time.


edit - I am not sure, if you can switch the libc without major breakage. I guess a clean install may be a faster and safer approach.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2862
Location: Paris

PostPosted: Tue May 28, 2013 11:54 am    Post subject: Reply with quote

Thank you for you feedback Veldrin.
I'm not running proprietary software nor DE, but icedtea could be problematic (I2P software there).

I just saw a hardened/linux/uclibc/amd64 profile. Switching to it without reinstalling from scratch is so tempting ^^
That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly".
_________________
-PC: 2500K/P8Z68V, 8Go DDR3 1600 1.35V, R9-290, ARC1220+5xWD500RE3, M4 256Go
-Home servers (hardened): µ-serv N40L, 2Go ECC + NF9D-2700, 4Go
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RDNU2000
Back to top
View user's profile Send private message
khayyam
Veteran
Veteran


Joined: 07 Jun 2012
Posts: 1537

PostPosted: Tue May 28, 2013 12:14 pm    Post subject: Reply with quote

El_Goretto wrote:
That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly".

El_Goretto ... you won't be able to do this, swaping out glibc with uclibc would cause similar issues to changing CHOST. However, there are stage3's in 'experimental' and there is a project page.

best ... khay
Back to top
View user's profile Send private message
XavierMiller
Moderator
Moderator


Joined: 23 Jul 2004
Posts: 5268
Location: ~Brussels - Belgique

PostPosted: Tue May 28, 2013 12:22 pm    Post subject: Reply with quote

It will be worse than changing CHOST since libc will be replaced with an incompatible other.
_________________
Xavier Miller
(FR) Merci de respecter les règles du forum.
http://www.xaviermiller.be
Back to top
View user's profile Send private message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2862
Location: Paris

PostPosted: Tue May 28, 2013 12:44 pm    Post subject: Reply with quote

I'm not so sure.
Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries.
_________________
-PC: 2500K/P8Z68V, 8Go DDR3 1600 1.35V, R9-290, ARC1220+5xWD500RE3, M4 256Go
-Home servers (hardened): µ-serv N40L, 2Go ECC + NF9D-2700, 4Go
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RDNU2000
Back to top
View user's profile Send private message
khayyam
Veteran
Veteran


Joined: 07 Jun 2012
Posts: 1537

PostPosted: Tue May 28, 2013 12:50 pm    Post subject: Reply with quote

El_Goretto wrote:
I'm not so sure. Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries.

El_Goretto ... glibc isn't slotted, so its replaced, but as its mostly backward compatable there is far less chance of some library mismatch (though updating a major glibc revision could also cause issues). This is not true of uclibc, its an entirely different library. That said its not something I've attempted, but your more than likely to have issues.

best ... khay
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1122

PostPosted: Tue May 28, 2013 2:03 pm    Post subject: Always big is bad? Reply with quote

Is this because of
Quote:
Ilja van Sprundel did recommend using dietlibc or uClibc over glibc, which he found to be "super bloated"
discussed at:
http://www.phoronix.com/scan.php?page=news_item&px=MTM3ODA
Really always BIG is BAD ?

Not a programmer but having the choice:

If I could (re-)use the functions of a big fat glibc, or
using "dietlibc" but missing some functions I would self construct,

wouldn't my program be more secure and performant using the big fat glibc?

Isn't this sentence of Ilja van Sprundel just FUD?
_________________
fun2gen2
Back to top
View user's profile Send private message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2862
Location: Paris

PostPosted: Tue May 28, 2013 2:42 pm    Post subject: Reply with quote

Ok, thanks for your answers everyone.

@ulenrich: Given the security of a program is the security of the libraries it uses too, no. If not, then, I would recommand reconsider programming :)
This fellow is abolutly not the only one having something to say about glibc. I attended a security conference last year (SSTIC 2012/France, but I can't find the name of the guy), he said almost exactly the same thing (to an extend I wonder if they didn't worked together at least).
_________________
-PC: 2500K/P8Z68V, 8Go DDR3 1600 1.35V, R9-290, ARC1220+5xWD500RE3, M4 256Go
-Home servers (hardened): µ-serv N40L, 2Go ECC + NF9D-2700, 4Go
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RDNU2000
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2204
Location: UK

PostPosted: Tue May 28, 2013 8:00 pm    Post subject: Reply with quote

You could give sys-libs/musl a try. From looking at the ebuild it seems like you have to cross-compile if you want it as system libc, but it definitely seems possible.
Back to top
View user's profile Send private message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2862
Location: Paris

PostPosted: Mon Jul 01, 2013 4:55 pm    Post subject: Reply with quote

If anyone has a relevant opinion about this, I was wondering if reporting bugs related to the hardened/uclibc profile (flagged as experimental) in the standard gentoo bugzilla was the best way to go?
_________________
-PC: 2500K/P8Z68V, 8Go DDR3 1600 1.35V, R9-290, ARC1220+5xWD500RE3, M4 256Go
-Home servers (hardened): µ-serv N40L, 2Go ECC + NF9D-2700, 4Go
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RDNU2000
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum