Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[hardened] Alternatives to glibc?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Tue May 28, 2013 11:19 am    Post subject: [hardened] Alternatives to glibc? Reply with quote

Hi,

I've been quite happy with my current gentoo "hardened" setup/profile for a while now. I even switched from udev to mdev with success.
So I'm now looking for some other challenge, like: is is possible to switch from glibc to another libc library, on a machine with hardened profile and toolchain (SSP and PIE stuff)?

I'm thinking of dietlibc or uclibc.

--
edit: really comforting: http://www.gentoo.org/proj/en/hardened/uclibc/index.xml
Has anyone tried uclibc?
Because uclibc is explicitly masked on hardened profile and use flag.
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Tue May 28, 2013 11:36 am    Post subject: Reply with quote

I gave it a short try in a chroot, but did not deploy the build.
In a nutshell, the core system and server services seem to work fine - but I wanted it for my notebook, I ran into some issues when moving towards a DE.

Also, it does not support multilib (bye bye proprietary packages), - main reason for my trouble - some (at least in my case) essential packages have trouble with uclibc (iirc mit-krb5, icedtea).
ATM, I stopped my experiment due to lack of time.


edit - I am not sure, if you can switch the libc without major breakage. I guess a clean install may be a faster and safer approach.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Tue May 28, 2013 11:54 am    Post subject: Reply with quote

Thank you for you feedback Veldrin.
I'm not running proprietary software nor DE, but icedtea could be problematic (I2P software there).

I just saw a hardened/linux/uclibc/amd64 profile. Switching to it without reinstalling from scratch is so tempting ^^
That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly".
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue May 28, 2013 12:14 pm    Post subject: Reply with quote

El_Goretto wrote:
That would be another question, if someone succeeded to migrate from hardened/linux/amd64 to hardened/linux/uclibc/amd64 "on the fly".

El_Goretto ... you won't be able to do this, swaping out glibc with uclibc would cause similar issues to changing CHOST. However, there are stage3's in 'experimental' and there is a project page.

best ... khay
Back to top
View user's profile Send private message
xaviermiller
Bodhisattva
Bodhisattva


Joined: 23 Jul 2004
Posts: 8704
Location: ~Brussels - Belgique

PostPosted: Tue May 28, 2013 12:22 pm    Post subject: Reply with quote

It will be worse than changing CHOST since libc will be replaced with an incompatible other.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Tue May 28, 2013 12:44 pm    Post subject: Reply with quote

I'm not so sure.
Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries.
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue May 28, 2013 12:50 pm    Post subject: Reply with quote

El_Goretto wrote:
I'm not so sure. Can you install another libc, and "start using it" (ie emerging), without violently removing the old one? Thus breaking not yet recompiled binaries.

El_Goretto ... glibc isn't slotted, so its replaced, but as its mostly backward compatable there is far less chance of some library mismatch (though updating a major glibc revision could also cause issues). This is not true of uclibc, its an entirely different library. That said its not something I've attempted, but your more than likely to have issues.

best ... khay
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1480

PostPosted: Tue May 28, 2013 2:03 pm    Post subject: Always big is bad? Reply with quote

Is this because of
Quote:
Ilja van Sprundel did recommend using dietlibc or uClibc over glibc, which he found to be "super bloated"
discussed at:
http://www.phoronix.com/scan.php?page=news_item&px=MTM3ODA
Really always BIG is BAD ?

Not a programmer but having the choice:

If I could (re-)use the functions of a big fat glibc, or
using "dietlibc" but missing some functions I would self construct,

wouldn't my program be more secure and performant using the big fat glibc?

Isn't this sentence of Ilja van Sprundel just FUD?
Back to top
View user's profile Send private message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Tue May 28, 2013 2:42 pm    Post subject: Reply with quote

Ok, thanks for your answers everyone.

@ulenrich: Given the security of a program is the security of the libraries it uses too, no. If not, then, I would recommand reconsider programming :)
This fellow is abolutly not the only one having something to say about glibc. I attended a security conference last year (SSTIC 2012/France, but I can't find the name of the guy), he said almost exactly the same thing (to an extend I wonder if they didn't worked together at least).
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue May 28, 2013 8:00 pm    Post subject: Reply with quote

You could give sys-libs/musl a try. From looking at the ebuild it seems like you have to cross-compile if you want it as system libc, but it definitely seems possible.
Back to top
View user's profile Send private message
El_Goretto
Moderator
Moderator


Joined: 29 May 2004
Posts: 3166
Location: Paris

PostPosted: Mon Jul 01, 2013 4:55 pm    Post subject: Reply with quote

If anyone has a relevant opinion about this, I was wondering if reporting bugs related to the hardened/uclibc profile (flagged as experimental) in the standard gentoo bugzilla was the best way to go?
_________________
-TrueNAS & jails: µ-serv Gen8 E3-1260L, 16Go ECC + µ-serv N40L, 10Go ECC
-Réseau: APU2C4 (OpenWRT) + GS726Tv3 + 2x GS108Tv2 + Archer C5v1 (OpenWRT)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum