Hardened Linux From Scratch
Version SVN-20080603
Copyright © 2004-2007 HLFS Development Team
Legal Notice
Copyright © 2004-2007, HLFS Development Team
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
Redistribution in any form must retain the above copyright notice, this list of conditions, and the following disclaimer:
Neither the name of “Hardened Linux From Scratch” nor the names of its contributors may be used to endorse or promote products derived from this material without specific prior written permission.
Any material derived from Hardened Linux From Scratch must contain a reference to the “Hardened Linux From Scratch” and “Linux From Scratch” projects.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Abstract
This book describes the process of creating a Hardened Linux system from scratch, using only the sources of the required software.
Abstract
– Who willed you? or whose will stands but mine?
There's none protector of the realm but I.
Break up the gates, I'll be your warrantize.
Shall I be flouted thus by dunghill grooms?
(Gloucester - 1593)
What noise is this? what traitors have we here?
(Woodviles's responce)
This is HLFS-unstable featuring:
uClibc: http://www.uclibc.org/
Stack Smashing Protector, this is now part of GCC-4.1+: http://www.trl.ibm.com/projects/security/ssp/
Grsecurity: http://www.grsecurity.net/
Frandom/Erandom device drivers: http://frandom.sourceforge.net/
GCC PIE patch. This is now part of gcc-3.4+: http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
Binutils PIE patch. This is now part of bintuils-2.15+ and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2003-05/msg00832.html
Binutils Non-lazy Runtime Binding. This is part of Binutils and is utilized by Glibc and uClibc: 'man 1 ld'
Binutils Relocation Read-only patch. This is now part of Bintuils and is utilized by Glibc and uClibc: http://sources.redhat.com/ml/binutils/2004-01/msg00070.html
FORTIFY_SOURCE runtime buffer overflow protection: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
Heap Consistency Checking in Glibc: http://www.gnu.org/software/libc/manual/html_node/Heap-Consistency-Checking.html
strlcpy() strlcat() C library functions: http://www.courtesan.com/todd/papers/strlcpy.html
Mudflap GCC debugging library: http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging
Owl Linux temporary-file hardening: http://www.openwall.com/Owl/
Recent LFS-stable (6.*), or HLFS-0.1+, are the prerequisite for the host system. Other systems may work but are not supported.
UTF-8 compatability is not yet implemented. Notes in the BLFS book regarding UTF-8 workarounds will generally not apply to HLFS systems. Anyone seeking to implement LFS-based UTF-8 compatability, especially with the uClibc version of HLFS, should subscribe to mailto:[email protected].
See chapter02 for descriptions of the Stack Smashing Protector, and Position Independent Executables.
The instructions in this book only work for i386 so far. The instructions in this book were tested on an LFS host system.
Note
This book assumes you already have experience with Linux From Scratch and are comfortable using it.
Warning
This book may be broken in some places, but less broken than before. The Glibc-2.6 book works, the rest need a bit more work. Be warned the stability is unknown. Please report bugs to http://wiki.linuxfromscratch.org/hlfs/, and/or send comments, and questions to: mailto:[email protected].
- Preface
- I. Introduction
- 1. Introduction
- 2. Technical Notes
- 2.1. Introduction
- 2.2. Host System Requirements
- 2.3. Toolchain Technical Notes
- 2.4. About Compiler Warnings
- 2.5. Stack Smashing Protector
- 2.6. Position Independent Executables
- 2.7. PaX-aware ELF executables and kernel
- 2.8. Address-Space Layout Randomization
- 2.9. Hardened Temporary Files Creation
- 2.10. Blowfish Passwords
- 2.11. Miscellanous Features
- 2.12. About the Test Suites
- II. Preparing for the Build
- 3. Preparatives Steps
- 4. Packages and Patches
- 5. Constructing a Temporary System
- 5.1. Introduction
- 5.2. Embryo Toolchain
- 5.3. Linux-2.4.34.5 Linux-2.6.24.7 API Headers
- 5.4. Glibc-2.5.1
- 5.5. uClibc-0.9.29
- 5.6. Adjusting the Toolchain
- 5.7. Gettext-0.17 Libintl
- 5.8. Tcl-8.4.19
- 5.9. Expect-5.43.0
- 5.10. DejaGNU-1.4.4
- 5.11. Cocoon Toolchain
- 5.12. Ncurses-5.6
- 5.13. Bash-3.2
- 5.14. Tar-1.20
- 5.15. Bzip2-1.0.5
- 5.16. Coreutils-6.11
- 5.17. Diffutils-2.8.7
- 5.18. E2fsprogs-1.40.8
- 5.19. Findutils-4.4.0
- 5.20. Gawk-3.1.6
- 5.21. Gettext-0.17
- 5.22. Grep-2.5.1a
- 5.23. Gzip-1.3.12
- 5.24. M4-1.4.11
- 5.25. Make-3.81
- 5.26. Patch-2.5.9
- 5.27. Perl-5.10.0
- 5.28. Sed-4.1.5
- 5.29. Texinfo-4.12
- 5.30. Bison-2.3
- 5.31. Flex-2.5.35
- 5.32. BC-1.06.95
- 5.33. Util-linux-ng-2.13.1
- 5.34. Stripping
- III. Building the HLFS System
- 6. Installing Basic System Software
- 6.1. Introduction
- 6.2. Preparing Virtual Kernel File Systems
- 6.3. Entering the Chroot Environment
- 6.4. Changing Ownership
- 6.5. Creating Directories
- 6.6. Creating Essential Symlinks
- 6.7. Creating the passwd, group, and log Files
- 6.8. Linux-2.4.34.5 Linux-2.6.24.7 API Headers
- 6.9. Man-pages-2.78
- 6.10. Glibc-2.5.1
- 6.11. uClibc-0.9.29
- 6.12. Gettext-0.17 Libintl
- 6.13. GCC-4.1.2 Libssp
- 6.14. Re-adjusting the Toolchain
- 6.15. Butterfly Toolchain
- 6.16. Sed-4.1.5
- 6.17. E2fsprogs-1.40.8
- 6.18. Coreutils-6.11
- 6.19. Iana-Etc-2.30
- 6.20. M4-1.4.11
- 6.21. Bison-2.3
- 6.22. Ncurses-5.6
- 6.23. Procps-3.2.7
- 6.24. Libtool-1.5.26
- 6.25. Perl-5.10.0
- 6.26. Readline-5.2
- 6.27. Zlib-1.2.3
- 6.28. Gettext-0.17
- 6.29. Make-3.81
- 6.30. Attr-2.4.41-1
- 6.31. Libcap2-2.10
- 6.32. Autoconf-2.62
- 6.33. Automake-1.10.1
- 6.34. Bash-3.2
- 6.35. Bzip2-1.0.5
- 6.36. Diffutils-2.8.7
- 6.37. File-4.24
- 6.38. Findutils-4.4.0
- 6.39. Flex-2.5.35
- 6.40. GRUB-0.97
- 6.41. Gawk-3.1.6
- 6.42. Grep-2.5.1a
- 6.43. Groff-1.18.1.4
- 6.44. Gzip-1.3.12
- 6.45. Inetutils-1.5
- 6.46. IPRoute2-2.6.23
- 6.47. Kbd-1.14.1
- 6.48. Less-418
- 6.49. Man-1.6f
- 6.50. Module-Init-Tools-3.4
- 6.51. OpenSSL-0.9.8h
- 6.52. Patch-2.5.9
- 6.53. Paxctl-0.5
- 6.54. Psmisc-22.6
- 6.55. Shadow-4.1.1
- 6.56. Sysklogd-1.5
- 6.57. Sysvinit-2.86
- 6.58. Tar-1.20
- 6.59. Texinfo-4.12
- 6.60. Udev-113
- 6.61. Util-linux-ng-2.13.1
- 6.62. Vim-7.1
- 6.63. About Debugging Symbols
- 6.64. Stripping Again
- 6.65. Cleaning Up
- 7. Making the HLFS System Bootable
- 7.1. Introduction
- 7.2. Set User/Group ID (suid) Programs
- 7.3. LFS-Bootscripts-3.2.2
- 7.4. Device and Module Handling on an HLFS System
- 7.5. Configuring the setclock Script
- 7.6. Configuring the Linux Console
- 7.7. Creating the /etc/inputrc File
- 7.8. The Bash Shell Startup Files
- 7.9. Configuring the localnet Script
- 7.10. Creating the /etc/hosts File
- 7.11. Configuring the network Script
- 7.12. Creating the /etc/fstab File
- 7.13. Linux-2.4.34.5 Linux-2.6.24.7
- 7.14. Making the HLFS System Bootable
- 7.15. Finished
- IV. Appendices
- Index
- n
- Next Page
- p
- Previos Page
- h
- Book Home
- u
- Go Up One Level
- ?
- Press ? for Help
- esc
- Hide Help
Press '?' for keyboard shortcuts
