LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 01-16-2011, 02:46 AM   #1
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Rep: Reputation: 51
Smile tor git repo security patch


This post concerns info found at http://archives.seul.org/or/dev/May-2010/msg00006.html.

My question is: How do I get the patch. The author makes ref. to "his" git repo and the patch for TOR. I guess the patch allows the use of some compile time options that can harden the build. I looked through the change log of TOR and couldnt see any of the options referenced by Jacob in his post.

I have read on the net that compile time hardening options are part of the gnu compiler, not the application to be compiled. Is this true?

Any help would be appreciated.
 
Old 01-16-2011, 08:43 AM   #2
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,495

Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
He doesn't give a link to his repo, but you can just copy the patch from the message and use git-apply to apply it.

Quote:
I have read on the net that compile time hardening options are part of the gnu compiler, not the application to be compiled. Is this true?
Yes, compile time options are handled by the compiler. The patch changes the build scripts so that different options are passed to the compiler.
 
1 members found this post helpful.
Old 01-16-2011, 04:09 PM   #3
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
So, I could pass those my self then with out his patch? That is assuming he is only passing commands to the compiler and not changing the source at all?
 
Old 01-16-2011, 06:49 PM   #4
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
Update: It appears that the "harden-wrapper" is a default now in ubuntu. That said, from the wiki it appears that anything I build from source will get the flags meant to harden the build. Please correct me if I am wrong.

Thanks
 
Old 01-17-2011, 06:07 PM   #5
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,495

Rep: Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851Reputation: 851
Quote:
Originally Posted by mrmnemo View Post
So, I could pass those my self then with out his patch? That is assuming he is only passing commands to the compiler and not changing the source at all?
Yes, you could run make with CFLAGS=hardening flags.

Quote:
Update: It appears that the "harden-wrapper" is a default now in ubuntu. That said, from the wiki it appears that anything I build from source will get the flags meant to harden the build. Please correct me if I am wrong.
Perhaps Ubuntu applied the patch, can you link to the wiki in question?
 
Old 01-17-2011, 06:19 PM   #6
mrmnemo
Member
 
Registered: Aug 2009
Distribution: linux
Posts: 527

Original Poster
Rep: Reputation: 51
Wiki for ubuntu:
https://wiki.ubuntu.com/Security/HardeningWrapper.

Since this is based on the debian harden-wrapper I think it would work as below.
Code:
build_user:$ DEB_BUILD_HARDENING=1 make my_app
The ubuntu wiki does not mention adding DEB_BUILD_HARDENING=1 to the command line with make. However, since the harden-wrapper script is based on Debian harden-wrapper, I believe the command must be structured that way.
Qouting Debian wiki:
Quote:
Default compile:
Code:
$ make trivial
cc -Wall -O2    trivial.c   -o trivial
Hardened compile:
Code:
$ DEB_BUILD_HARDENING=1 make trivial
cc -Wall -O2    trivial.c   -o trivial
trivial.c: In function 'main':
trivial.c:16: warning: format not a string literal and no format arguments
Known problems: (Common build failures, non-availability on some archs)
 
  


Reply

Tags
gcc harden compile


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Git - create patch after local commit student04 Linux - Software 2 10-11-2010 01:04 PM
generate patch between two revision from git repo harish2704 Linux - Software 2 08-06-2010 11:16 PM
GIT: My remote repository moved. How do I tell my local repo to use the new one? BrianK Programming 3 01-20-2010 11:30 PM
How to configure git-daemon to publish my repo? CoderMan Debian 0 06-16-2009 02:18 PM


All times are GMT -5. The time now is 09:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration