[gentoo-hardened] Converting new install to hardened (glibc problem)?

[gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 1011 bytes --]

Hi,

This is my first email to the list and my first attempt at installing
hardened Gentoo (I've been using Gentoo for 4 years now). I apologize if I'm
asking an obvious question. I have been searching for couple of days for an
answer but couldn't find one.

I have a fresh install of Gentoo 2006.1 and I'm trying to convert it to
hardened. I have followed instructions and changed the profile, added USE
flags and when I try to recompile the toolchain it wants to downgrade the
glibc, which is, of course, not allowed.

I've seen various posts on forms and lists but they all start with older
glibc. Also this post
http://www.mail-archive.com/gentoo-hardened@lists.gentoo.org/msg00845.html
doesn't even mention glibc, but the fact still remains that glibc will not
be emergable and the toolchain will be inconsistent.

So the question is how to get around the obvious discrepancy between glibc
version 2.4-r3 that comes with standard Gentoo and version 2.3.6-r5 that
hardened profile wants to emerge?

Thanks.

[-- Attachment #2: Type: text/html, Size: 1168 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[John Schember]

Hardened requires glibc-2.3. Some features (SSP) are not available in
newer versions yet. If you want to use hardened with the hardened tool
chain you have to downgrade glibc to 2.3 and gcc to 3.4. There is no way
to get around this, it is required.

John Schember


On Sat, 2007-01-06 at 16:43 -0500, Nedim Cholich wrote:
> Hi,
> 
> This is my first email to the list and my first attempt at installing
> hardened Gentoo (I've been using Gentoo for 4 years now). I apologize
> if I'm asking an obvious question. I have been searching for couple of
> days for an answer but couldn't find one. 
> 
> I have a fresh install of Gentoo 2006.1 and I'm trying to convert it
> to hardened. I have followed instructions and changed the profile,
> added USE flags and when I try to recompile the toolchain it wants to
> downgrade the glibc, which is, of course, not allowed. 
> 
> I've seen various posts on forms and lists but they all start with
> older glibc. Also this post
> http://www.mail-archive.com/gentoo-hardened@lists.gentoo.org/msg00845.html
> doesn't even mention glibc, but the fact still remains that glibc will
> not be emergable and the toolchain will be inconsistent.
> 
> So the question is how to get around the obvious discrepancy between
> glibc version 2.4-r3 that comes with standard Gentoo and version
> 2.3.6-r5 that hardened profile wants to emerge?
> 
> Thanks.

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 554 bytes --]

On Sat, 6 Jan 2007 16:43:43 -0500
"Nedim Cholich" <nedim.cholich@gmail.com> wrote:

> Hi,
> 
> This is my first email to the list and my first attempt at installing
> hardened Gentoo (I've been using Gentoo for 4 years now). I apologize
> if I'm asking an obvious question. I have been searching for couple
> of days for an answer but couldn't find one.

Wait until glibc-2.4 or greater is ready on hardened.  It should be
soon, now.  Whatever you do, don't downgrade glibc, you will end up with
all sorts of trouble.

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 810 bytes --]

On 1/6/07, Kevin F. Quinn <kevquinn@gentoo.org> wrote:
>
> On Sat, 6 Jan 2007 16:43:43 -0500
> "Nedim Cholich" <nedim.cholich@gmail.com> wrote:
>
> > Hi,
> >
> > This is my first email to the list and my first attempt at installing
> > hardened Gentoo (I've been using Gentoo for 4 years now). I apologize
> > if I'm asking an obvious question. I have been searching for couple
> > of days for an answer but couldn't find one.
>
> Wait until glibc-2.4 or greater is ready on hardened.  It should be
> soon, now.  Whatever you do, don't downgrade glibc, you will end up with
> all sorts of trouble.



So in practical terms, do I have any options? Is there any point in using
standard profile with USE="hardened pic"? What about compiler directives?
Can I still use hardened-sources?

Thanks for all your help.

[-- Attachment #2: Type: text/html, Size: 1242 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

On 1/6/07, Kevin F. Quinn <kevquinn@gentoo.org> wrote:
>
> On Sat, 6 Jan 2007 16:43:43 -0500
> "Nedim Cholich" <nedim.cholich@gmail.com> wrote:
>
> > Hi,
> >
> > This is my first email to the list and my first attempt at installing
> > hardened Gentoo (I've been using Gentoo for 4 years now). I apologize
> > if I'm asking an obvious question. I have been searching for couple
> > of days for an answer but couldn't find one.
>
> Wait until glibc-2.4 or greater is ready on hardened.  It should be
> soon, now.  Whatever you do, don't downgrade glibc, you will end up with
> all sorts of trouble.


Also, Kevin, I see you have an overlay with some of the new stuff. Would
there be a point in me trying it out since I'm in no rush to finish up my
future firewall. How stable is the stuff in overlay?

Thanks.

[-- Attachment #2: Type: text/html, Size: 1236 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[John Schember]

On Sun, 2007-01-07 at 00:38 +0100, ascii wrote:
> Nedim Cholich wrote:
> > Can I still use hardened-sources?
> yes, but that is the kernel not the gcc toolchain
> 
> if you want an hardened system you have to use 2006.0
> 
> am i right?

You are correct. You need 2006.0 for a full hardened system otherwise
you are can only have a hardened kernel, and what ever extra is applied
to packages that use the hardened use flag ie. syslog-ng.

John Schember

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

On 1/6/07, ascii <ascii@katamail.com> wrote:
>
> Nedim Cholich wrote:
> > Can I still use hardened-sources?
> yes, but that is the kernel not the gcc toolchain
>

Right. So the question was can hardened-sources be used with default 2006.0/1
profile and toolchain compiled with USE="hardened pic"? This is all to avoid
having to use hardened profile which is not "installable" right now because
of glibc discrepancy.

Thanks.

[-- Attachment #2: Type: text/html, Size: 736 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[John Schember]

On Sat, 2007-01-06 at 17:42 -0500, Nedim Cholich wrote:
> So the question was can hardened-sources be used with default 2006.0/1
> profile and toolchain compiled with USE="hardened pic"? 

Yes.

John Schember

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[ascii]

Nedim Cholich wrote:
> Can I still use hardened-sources?
yes, but that is the kernel not the gcc toolchain

if you want an hardened system you have to use 2006.0

am i right?

regards,
Francesco 'ascii' Ongaro
http://www.ush.it/
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

On Sat, 6 Jan 2007 17:39:06 -0500
"Nedim Cholich" <nedim.cholich@gmail.com> wrote:

> Also, Kevin, I see you have an overlay with some of the new stuff.
> Would there be a point in me trying it out since I'm in no rush to
> finish up my future firewall. How stable is the stuff in overlay?

You're welcome to try :)  The gcc-glibc-nopie branch is what I'm hoping
to put in the tree.

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]



Nedim Cholich wrote:
> Hi,
> 
> This is my first email to the list and my first attempt at installing
> hardened Gentoo (I've been using Gentoo for 4 years now).
<snip>
> 
> I have a fresh install of Gentoo 2006.1 and I'm trying to convert it to
> hardened. I have followed instructions and changed the profile, added
> USE flags and when I try to recompile the toolchain it wants to
> downgrade the glibc, which is, of course, not allowed.

I ran into this problem also a while ago, and after some testing,
solving this problem actually is quite easy, considering your 4 years of
Gentoo experience and also considering it's a clean install.

1) Get yourself a nice 2006.0 install cd
2) Wipe your clean install, and start a new one using the 2006.0 cd.
3) Do a stage 1 install from this cd, setting your profile and flags
right from the beginning.

Since the initial 2006.0 environment contains an older glibc version
(glibc-2.3.6-r4 says my emerge history), there is no need to downgrade.
Just be sure not to remerge glibc before setting the hardened profile,
so you don't upgrade by accident.

Worked for me twice in last 3 months :)

Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 1393 bytes --]

On 1/7/07, Tom Hendrikx <tom@whyscream.net> wrote:
>
>
>
> Nedim Cholich wrote:
> > Hi,
> >
> > This is my first email to the list and my first attempt at installing
> > hardened Gentoo (I've been using Gentoo for 4 years now).
> <snip>
> >
> > I have a fresh install of Gentoo 2006.1 and I'm trying to convert it to
> > hardened. I have followed instructions and changed the profile, added
> > USE flags and when I try to recompile the toolchain it wants to
> > downgrade the glibc, which is, of course, not allowed.
>
> I ran into this problem also a while ago, and after some testing,
> solving this problem actually is quite easy, considering your 4 years of
> Gentoo experience and also considering it's a clean install.
>
> 1) Get yourself a nice 2006.0 install cd
> 2) Wipe your clean install, and start a new one using the 2006.0 cd.
> 3) Do a stage 1 install from this cd, setting your profile and flags
> right from the beginning.
>
> Since the initial 2006.0 environment contains an older glibc version
> (glibc-2.3.6-r4 says my emerge history), there is no need to downgrade.
> Just be sure not to remerge glibc before setting the hardened profile,
> so you don't upgrade by accident.
>
> Worked for me twice in last 3 months :)


Ok. I found stage3 of 2006.0. Is there a problem with using the latest
portage snapshot with this 2006.0 (and the hardened profile from it)?

Thanks.

[-- Attachment #2: Type: text/html, Size: 1767 bytes --]

Re: [gentoo-hardened] Converting new install to hardened (glibc problem)?

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]



Nedim Cholich wrote:
> On 1/7/07, *Tom Hendrikx* <tom@whyscream.net <mailto:tom@whyscream.net>>
> wrote:
> 
> 
> Ok. I found stage3 of 2006.0. Is there a problem with using the latest
> portage snapshot with this 2006.0 (and the hardened profile from it)?
> 
> Thanks.
> 

Nope, just try it. Any portage snapshot containing the
'hardened-supported' glibc version is ok, so a portage snapshot from
today is fine.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

[gentoo-hardened] Converting new install to hardened (glibc problem)?

[Nedim Cholich]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

On 1/7/07, Tom Hendrikx <tom@whyscream.net> wrote:
>
> Nedim Cholich wrote:
> > Ok. I found stage3 of 2006.0. Is there a problem with using the latest
> > portage snapshot with this 2006.0 (and the hardened profile from it)?
> Nope, just try it. Any portage snapshot containing the
> 'hardened-supported' glibc version is ok, so a portage snapshot from
> today is fine.


Woohoo. After couple of days of recompiling I have hardened gentoo. Now on
to app install...

Thanks for the 2006.0 tip! That did the trick.

[-- Attachment #2: Type: text/html, Size: 909 bytes --]