LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 11-15-2019, 01:35 PM   #4006
ZhaoLin1457
Member
 
Registered: Jan 2018
Posts: 371

Rep: Reputation: 339Reputation: 339Reputation: 339Reputation: 339

Quote:
Originally Posted by allend View Post
So gcc-solibs isn't unreasonable if software needs those libraries but youI don't want the entire gcc suite.
I am not a specialist in servers, but I heard multiple times that the presence of compilers in a server is considered a huge security issue, unless is about a build server.

Last edited by ZhaoLin1457; 11-15-2019 at 01:38 PM.
 
2 members found this post helpful.
Old 11-15-2019, 01:57 PM   #4007
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,791

Rep: Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753Reputation: 5753
Quote:
Originally Posted by ZhaoLin1457 View Post
I am not a specialist in servers, but I heard multiple times that the presence of compilers in a server is considered a huge security issue, unless is about a build server.
Having an attacker gain access to a server is a huge security issue. At that point installing a compiler is QED.
 
8 members found this post helpful.
Old 11-15-2019, 02:37 PM   #4008
akschu
Member
 
Registered: Dec 2007
Posts: 46

Rep: Reputation: 26
Security is all a matter of risk management. Since computing platforms have lots of layers, you try to minimize risk at each layer, not just some of the layers. Keeping the installed packages as minimal as possible, and not having a compiler on the host reduces the risk. Nobody in the security space recommends having a compiler installed on a server.

Anyway, should I take this response to mean that slackware policy is to install the compiler should something link against atomics?
 
Old 11-15-2019, 02:48 PM   #4009
qunying
Member
 
Registered: Jun 2002
Distribution: Slackware
Posts: 164

Rep: Reputation: 90
I am not very sure about your request, as libatomic is already included in aaa_elflibs (in current, at least, I don't have a 14.2 to check against). You don't need to install GCC.

Quote:
Originally Posted by akschu View Post
Any thoughts on making the GCC libraries their own package? I have some software that links against libatomic which is forcing me to install the entire GCC compiler on a server, which is unwanted.
 
Old 11-15-2019, 03:34 PM   #4010
akschu
Member
 
Registered: Dec 2007
Posts: 46

Rep: Reputation: 26
Quote:
Originally Posted by qunying View Post
I am not very sure about your request, as libatomic is already included in aaa_elflibs (in current, at least, I don't have a 14.2 to check against). You don't need to install GCC.
Thanks for that! That is exactly what I was looking for. Didn't realize that was already a thing in -current. I'll work around it for now and keep waiting for 15.0.

schu
 
2 members found this post helpful.
Old 11-16-2019, 09:52 AM   #4011
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,813

Rep: Reputation: Disabled
Quote:
Originally Posted by qunying View Post
I am not very sure about your request, as libatomic is already included in aaa_elflibs (in current, at least, I don't have a 14.2 to check against). You don't need to install GCC.
You don't need 14.2 to check this.

https://packages.slackware.com/?r=sl....2-i586-23.txz
https://packages.slackware.com/?r=sl...-i586-23.txz&f

And yes, libatomic is not included in the 14.2 aaa_elflibs package.

Quote:
Originally Posted by akschu View Post
Security is all a matter of risk management. Since computing platforms have lots of layers, you try to minimize risk at each layer, not just some of the layers. Keeping the installed packages as minimal as possible, and not having a compiler on the host reduces the risk. Nobody in the security space recommends having a compiler installed on a server.
How does a compiler increase the attack surface when its installed, but not being used?

Last edited by orbea; 11-16-2019 at 09:54 AM.
 
1 members found this post helpful.
Old 11-16-2019, 11:31 AM   #4012
Skaendo
Senior Member
 
Registered: Dec 2014
Location: West Texas, USA
Distribution: Slackware64-14.2
Posts: 1,124

Rep: Reputation: Disabled
Quote:
Originally Posted by orbea View Post
How does a compiler increase the attack surface when its installed, but not being used?
I am interested in this as well.
 
1 members found this post helpful.
Old 11-16-2019, 05:57 PM   #4013
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,313

Rep: Reputation: 223Reputation: 223Reputation: 223
Audacity.
 
Old 11-16-2019, 06:21 PM   #4014
LuckyCyborg
Member
 
Registered: Mar 2010
Posts: 474

Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by RandomTroll View Post
Audacity.
This, and its ton of dependencies up to JACK? So, you want Slackware to be a DAW?

I wish you good luck to see it on Slackware, but likely this will not happen.

Last edited by LuckyCyborg; 11-16-2019 at 06:23 PM.
 
1 members found this post helpful.
Old 11-16-2019, 06:59 PM   #4015
0XBF
Member
 
Registered: Nov 2018
Location: Winnipeg
Distribution: Slackware
Posts: 106

Rep: Reputation: 77
You can get Audacity (and a pile of other DAW software) from alienBOB's repo. Probably easier getting it that way than getting it added to the official package list.
 
2 members found this post helpful.
Old 11-16-2019, 07:06 PM   #4016
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,101

Rep: Reputation: Disabled
eliloconfig: don't write a boot entry for Slackware in the EFI boot menu if there's already one.

Rationale:
  • The user is advised to run eliloconfig after a kernel upgrade.
  • eliloconfig will then find an old entry in the EFI boot menu and suggest to remove it, then write a new one.
  • But the EFI boot entry in the firmware boot menu just points to elilo.efi, which will not be modified.
  • So writing a boot entry if one already exists is useless.
  • Thus I propose that eliloconfig proposes to write a boot entry in the EFI menu only if there's none yet.
  • This will preserve the NVRAM. Quoting Max Tottenham[1]:
    Quote:
    I'm weary of this approach, at least in the UEFI case I'd be weary of writing to NVRAM backed EFI variables, as I'm pretty sure these NVRAM chips have pretty low write limits (1-10k write cycles) and are meant to be updated pretty infrequently.

    I wouldn't want to create an interface that developers might use thinking that it's fine to stick stuff in there on every boot, only to find out their NVRAM becomes a ROM after a couple of years.
    We don't expect a kernel upgrade to be proposed every morning, but the safer the better.
 
5 members found this post helpful.
Old 11-16-2019, 11:42 PM   #4017
aaditya
Member
 
Registered: Oct 2013
Location: India
Distribution: Slackware
Posts: 187
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by Skaendo View Post
I am interested in this as well.
Have seen PHP scripts disguised as image files being uploaded and executed (as www-user not root).

If a compiler is available, then such scripts can use it to create more sophisticated malware. Otherwise they may need to first download and setup the compiler which is not an easy task. Or they could download binaries off a server if they are already available.
 
3 members found this post helpful.
Old 11-17-2019, 09:45 AM   #4018
orbea
Senior Member
 
Registered: Feb 2015
Distribution: Slackware64-current
Posts: 1,813

Rep: Reputation: Disabled
Quote:
Originally Posted by aaditya View Post
Have seen PHP scripts disguised as image files being uploaded and executed (as www-user not root).
This would require the server admin to actually download such a file manually? How are they executed? Maybe I'm missing something obvious, but I can't recall the last time I downloaded an image file with a remote server let alone executed it or even made it executable.
 
Old 11-17-2019, 01:23 PM   #4019
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,680
Blog Entries: 2

Rep: Reputation: 452Reputation: 452Reputation: 452Reputation: 452Reputation: 452
Quote:
Originally Posted by orbea View Post
This would require the server admin to actually download such a file manually? How are they executed? Maybe I'm missing something obvious, but I can't recall the last time I downloaded an image file with a remote server let alone executed it or even made it executable.
You as admin pick a PHP app and install it to your server - but in the payload is a rogue php script.

The script has been sneaked in in the development process of said app.

Don't you watch hacked movies? (just kidding)

The premise is not all development teams go by high security rules, assuming the "i'm not a probable target" approach to security.
 
1 members found this post helpful.
Old 11-18-2019, 12:14 AM   #4020
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,313

Rep: Reputation: 223Reputation: 223Reputation: 223
Quote:
Originally Posted by LuckyCyborg View Post
This, and its ton of dependencies up to JACK? So, you want Slackware to be a DAW?
What's 'JACK', 'DAW'?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Requests for -current (20151216) rworkman Slackware 3441 12-28-2017 04:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration