[gentoo-hardened] Downgrading glibc

[gentoo-hardened] Downgrading glibc

[7v5w7go9ub0o]

I went through the gcc upgrade and discovered that ssp no longer works  
(suppose it was documented somewhere - but I missed it)

So I'm trying to reverse the upgrade process (this time using using a  
hardened profile) and glibc won't allow me to downgrade.

How do I get around this, please?

I've considered hacking the script/size/md5 tests, but would prefer to do  
it the proper way.

TIA
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Downgrading glibc

[Ned Ludd]

On Thu, 2006-09-14 at 12:34 -0400, 7v5w7go9ub0o wrote:
> I went through the gcc upgrade and discovered that ssp no longer works  
> (suppose it was documented somewhere - but I missed it)
> 
> So I'm trying to reverse the upgrade process (this time using using a  
> hardened profile) and glibc won't allow me to downgrade.
> 
> How do I get around this, please?
> 
> I've considered hacking the script/size/md5 tests, but would prefer to do  
> it the proper way.

There is no safe way to really downgrade glibc with portage. 
So.. Your choices are. 
1) keep the glibc.
2) reinstall

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Downgrading glibc

[7v5w7go9ub0o]

On Thu, 14 Sep 2006 23:51:49 -0400, Ned Ludd <solar@gentoo.org> wrote:

> On Thu, 2006-09-14 at 12:34 -0400, 7v5w7go9ub0o wrote:
>> I went through the gcc upgrade and discovered that ssp no longer works
>> (suppose it was documented somewhere - but I missed it)
>>
>> So I'm trying to reverse the upgrade process (this time using using a
>> hardened profile) and glibc won't allow me to downgrade.
>>
>> How do I get around this, please?
>>
>> I've considered hacking the script/size/md5 tests, but would prefer to  
>> do
>> it the proper way.
>
> There is no safe way to really downgrade glibc with portage.
> So.. Your choices are.
> 1) keep the glibc.
> 2) reinstall
>

Thanks for the reply.

Worked around the downgrade check - heh, that proved a mess.

Couldn't compile the later glibc with the earlier gcc, .....

So a reinstall it is.   Fortunately, I had a maintenance OS on the same  
HD, so the reinstall is occurring rapidly through a chroot.


-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Downgrading glibc

[Andreas Tasch]

7v5w7go9ub0o schrieb:
> I went through the gcc upgrade and discovered that ssp no longer works 
> (suppose it was documented somewhere - but I missed it)
> 
> So I'm trying to reverse the upgrade process (this time using using a 
> hardened profile) and glibc won't allow me to downgrade.
> 
> How do I get around this, please?
> 
> I've considered hacking the script/size/md5 tests, but would prefer to 
> do it the proper way.
> 
> TIA
> --gentoo-hardened@gentoo.org mailing list

Hi,

did you upgrade to gcc-4.1? If yes you may not use the hardened profile 
but the hardened use flag. gcc-4.1 is not yet supported by the hardened 
profile. AFAIK

View your current profile
ls -l /etc/make.profile

How to switch to the hardened profile
http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile

[OT] Note for the doc devs
By reading some lists for a while now it seems that there are many 
people out there which followed the hardened tutorial. The problem is 
that you do not mention that users have to switch to the hardened 
profile. I only found this in the FAQ.
I also followed the hardened tutorial and thought I am using it but I 
only had the hardened use flag and a hardened kernel with grsec and pax 
enabled. Nothing more. Maybe it is possible to add some information 
about how to really switch to the hardened profile in the tutorial.

HTH
ndee
-- 
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Re: Downgrading glibc

[7v5w7go9ub0o]

Thanks for the note.

> Hi,
>
> did you upgrade to gcc-4.1? If yes you may not use the hardened profile  
> but the hardened use flag. gcc-4.1 is not yet supported by the hardened  
> profile. AFAIK

Yep..... :-(


>
> View your current profile
> ls -l /etc/make.profile

I had a standard profile; now it's hardened, with my make.conf file  
supplemented with the use flags no longer on by default.

>
> How to switch to the hardened profile
> http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile

Thanks - I've done that (hardened profile) this time around as I rebuild.

>
> [OT] Note for the doc devs
> By reading some lists for a while now it seems that there are many  
> people out there which followed the hardened tutorial. The problem is  
> that you do not mention that users have to switch to the hardened  
> profile. I only found this in the FAQ.
> I also followed the hardened tutorial and thought I am using it but I  
> only had the hardened use flag and a hardened kernel with grsec and pax  
> enabled. Nothing more. Maybe it is possible to add some information  
> about how to really switch to the hardened profile in the tutorial.

Well, I built this over a year ago, and never caught the hardened profile  
comment - I'm a newbie and got the impression that one only needed to put  
in "hardened pic". As you point out, others fell into this situation as  
well.

FWIW, the hardend sources project works great IMHO, but documentation  
ought to do two things:

1. Redo the FAQ page.  All of the pieces are there, but they're spread all  
over the page. Create one section that sequentially covers the steps on  
how to create a hardened profile/kernel. For example, at this time, it  
would advise the user to start with 2006.0 (doesn't say it now, and I bet  
someone will start with 2006.1).

It'll also list the flags that are in the standard profile that are not in  
the hardened - all in sequential order, not spread about.

2. Declare the GCC update NA for hardened users - in the GCC update guide.  
There is some sort of vague reference to hardened in the guide, but it  
sure didn't click with me.



-- 
gentoo-hardened@gentoo.org mailing list