Tiny Core Linux

Tiny Core Extensions => TCE Talk => Extension requests => Topic started by: Looper on May 04, 2017, 02:42:24 PM

Title: Security concerns
Post by: Looper on May 04, 2017, 02:42:24 PM
we don't have ssh guard or CSF ( configServer Security & Firewall) or fail2ban ,...etc.
what can i do ?
Title: Re: Security concerns
Post by: gerald_clark on May 04, 2017, 03:07:13 PM
You can wait, and hope someone will compile and submit them, or compile them yourself.
If you compile them, please submit them as described in the wiki.
Title: Re: Security concerns
Post by: hiro on May 05, 2017, 02:15:51 AM
i suggest outsourcing security liabilities to a company with a good lawyer department. keeps the hopes up while the system can stay simple.
Title: Re: Security concerns
Post by: rdebath on May 05, 2017, 07:42:34 PM
If you compile them, please submit them as described in the wiki.
Where in the wiki?
 
Title: Re: Security concerns
Post by: Rich on May 05, 2017, 07:45:41 PM
Hi rdebath
Over here:
http://wiki.tinycorelinux.net/wiki:creating_extensions
Title: Re: Security concerns
Post by: rdebath on May 06, 2017, 02:57:48 AM
That page isn't really much help.
For example, it has a pointer to an "audit  script" which doesn't run and a couple of other scripts which it says don't use.

... I was going to complain here, but really it's not a topic for a reply.
Title: Re: Security concerns
Post by: Juanito on May 06, 2017, 05:11:14 AM
which aspect of creating an extension would you like more help with?
Title: Re: Security concerns
Post by: rdebath on May 06, 2017, 08:50:13 AM
Hi Juanito,

Okay, as you've responded I will paste this message here, it probably
reads a little aggressively. But rather than clean it up I'll just say
that it's a picture of how frustrating the process is. The question at
the end still applies though, have I missed anything?

Mostly my complaint is that documentation is wrong. But missing
documentation and badly scattered documentation isn't much better.

That page in the wiki is "how to compile programs" then email it to
this address.

It has little about what rules you'd like for submitted extensions.

It says nothing about how build scripts should be styled, or where to
stick them.

It does reference tcztools, a URL pointing at a rather old Half Gigabyte
project on the Google code archive but almost states you shouldn't use it.

It has a pointer to an "audit script" which doesn't run.

There is a reference to a "submitqc4" script but no indication as to
what or where it is, it's supposed to create the zsync file.

Eventually I guessed the name of the "audit script" in the repository
despite the explicit statement that it wasn't in the repository in the
linked forum messages.

The link to the "Guidelines" message seems to have two points, License,
and look in the 'News section under TC Extensions.' Neither of which is
helpful at this stage.

There's little indication what the various item in the info file
are for. Mostly that's okay, but "Tags", "Current" and probably
"Change-log" need more detail.  Even the comments section probably needs
recommendations on contents. For example, should it really be called
"Long-description" ?

I'm also unclear what "build-dep" is actually for, from the example
it seems to be "build comments". I expect it was just included because
there doesn't seem to be anywhere to put a build script. So if I have
a build script should it actually go in that file.

But currently I'm guessing it goes in the ".tcz.tgz" file with a copy
of the exact source that was used to build it.

I think I've mostly discarded the old debris in the "documentation",
but frankly I expect I've still missed something. So here's a couple of
copies of a simple build script, does it do the right thing?


Code: [Select]
#!/bin/sh -

init_app() {
    TCZNAME="easyrsa"
    BUILDDEPS=''

    COMPDIR="$(pwd)/tcz-comp/$TCZNAME"
    BUILDDIR="$COMPDIR/build"
    TREEDIR="$COMPDIR/tcztree"
    REPO="$HOME/repo"
    DIST="$HOME/dist"
    FAKEROOT=sudo
}

info_file() {
cat <<!
Title: easyrsa.tcz
Description: OpenVPN - Easy RSA scripts
Version: $VER
Author: Various
Original-site: http://openvpn.net
Copying-policy: GPL (see usr/local/share/doc/openvpn/COPYING)
Size: $TCZSIZE
Extension_by: rdebath
Tags: OpenSSL easy
Comments: Downloaded from
https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz

Change-log: 2017-05-06 Initial release replacing OpenVPN embed.
Current: 2017-05-06 Initial release replacing OpenVPN embed.
!
}

unpack_app() {
    VER=3.0.1
    DISTFILE="$DIST/EasyRSA-3.0.1.tgz"
    BUILDDIR="$COMPDIR/EasyRSA-$VER"
    [ -d "$BUILDDIR" ] || {
tar xf "$DISTFILE"
cp -p "$DISTFILE" "$COMPDIR/src"
    }
}
 
build_app() {
    PREFIX=/usr/local
    find_deps() { echo openssl.tcz ; }
}

install_app() {
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/bin
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/lib/easyrsa
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/share/doc/easyrsa

    $FAKEROOT cp -rp x509-types easyrsa openssl-1.0.cnf "$TREEDIR$PREFIX"/lib/easyrsa/.

    $FAKEROOT cp -rp ChangeLog doc COPYING README.quickstart.md vars.example gpl-2.0.txt "$TREEDIR$PREFIX"/share/doc/easyrsa/.

    $FAKEROOT chown -R 0:0 "$TREEDIR$PREFIX"/lib/easyrsa "$TREEDIR$PREFIX"/share/doc/easyrsa
    $FAKEROOT chmod -R g-s "$TREEDIR$PREFIX"/lib/easyrsa "$TREEDIR$PREFIX"/share/doc/easyrsa

    $FAKEROOT dd of="$TREEDIR$PREFIX"/bin/easyrsa 2>/dev/null <<-!
#!/bin/sh
export EASYRSA="$PREFIX"/lib/easyrsa
export EASYRSA_PKI=/opt/easyrsa
mkdir -p "\$EASYRSA_PKI"
exec sh "$PREFIX/lib/easyrsa/easyrsa" "$@"
!

    $FAKEROOT chmod +x "$TREEDIR$PREFIX"/bin/easyrsa
}

################################################################################

main() {
    set -e
    init_app
    mkdir -p "$COMPDIR"/src
    cp -p "$0" "$COMPDIR"/src/.

    cd "$COMPDIR"
    load_build_dep $BUILDDEPS squashfs-tools

    cd "$COMPDIR"
    unpack_app

    cd "$BUILDDIR"
    build_app

    cd "$COMPDIR"
    $FAKEROOT rm -rf "$TREEDIR"
    $FAKEROOT mkdir -m 755 "$TREEDIR"
    $FAKEROOT chmod u-s,g-ws,o-w "$TREEDIR"
    $FAKEROOT chown 0:0 "$TREEDIR"

    cd "$BUILDDIR"
    install_app

    cd "$COMPDIR"
    $FAKEROOT mksquashfs "$TREEDIR" "$TCZNAME".tcz -noappend

    TCZSIZE=$(du -h "$TCZNAME".tcz | cut -f 1)
    info_file > "$TCZNAME".tcz.info
    [ ! -s "$TCZNAME".tcz.info ] ||
cp "$TCZNAME".tcz.info "$REPO"/"$TCZNAME".tcz.info

    mkdir -p "$REPO"
    cp "$TCZNAME".tcz "$REPO"/"$TCZNAME".tcz
    md5sum "$TCZNAME".tcz > "$REPO"/"$TCZNAME".tcz.md5.txt
    (cd "$TREEDIR" ; find . ! -type d | sed 's/^\.\//\//' | sort) > "$REPO"/"$TCZNAME".tcz.list

    {
[ "$BUILDDEPS" != "" ] && {
    echo "$BUILDDEPS" | tr ' ' '\012'
}
    } > "$REPO"/"$TCZNAME".tcz.build-dep

    DEP="$(find_deps)"
    [ -f "$REPO"/"$TCZNAME".tcz.dep ] && rm "$REPO"/"$TCZNAME".tcz.dep
    [ "$DEP" != "" ] && echo "$DEP" > "$REPO"/"$TCZNAME".tcz.dep

    (cd "$COMPDIR"/src; tar czf - *) > "$REPO"/"$TCZNAME".tcz.tgz
}

load_build_dep() {
    # Download and load build depends IF NEEDED.
    # DO NOT put in onboot.lst
    TCEI=/usr/local/tce.installed
    TCEDIR=/etc/sysconfig/tcedir

    for i
    do
ext="${i%.tcz}.tcz"

# Installed, okay.
[ ! -e "$TCEI/${ext%.tcz}" ] || continue

[ -f "$TCEDIR/optional/$ext" ] ||
    tce-load -s -w "$ext"

tce-load -s -l -i "$ext"
    done
}

find_deps() {
    ls -nl $(find "$TREEDIR" -type f -perm /100 -exec ldd {} \; 2>/dev/null |
awk '/=>/{print $3;}') |
awk '/ ->.*\/tmp\/tcloop/{print $NF;}' |
awk -F/ '{print $4 ".tcz";}' |
sort -u
}

main "$@"

Code: [Select]
#!/bin/sh -

init_app() {
    TCZNAME="openvpn"
    BUILDDEPS='compiletc bash openssl-dev lzo-dev openssl lzo squashfs-tools xz'

    COMPDIR="$(pwd)/tcz-comp/$TCZNAME"
    BUILDDIR="$COMPDIR/build"
    TREEDIR="$COMPDIR/tcztree"
    REPO="$HOME/repo"
    DIST="$HOME/dist"
    FAKEROOT=sudo
}

info_file() {
cat <<!
Title: openvpn.tcz
Description: OpenVPN - Open Source Virtual Private Network
Version: $VER
Author: Various
Original-site: http://openvpn.net
Copying-policy: GPL (see usr/local/share/doc/openvpn/COPYING)
Size: $TCZSIZE
Extension_by: rdebath
Tags: VPN connection network OpenVPN
Comments: For further information please visit
http://openvpn.net/index.php/open-source/documentation/howto.html

For client access use:
$ sudo openvpn --config /path/to/your/conf

---
Change-log: 2010/10/24 Initial version 2.1.3
2010/11/19 Resolved iproute2 dep, bump to 2.1.4
2012/03/09 Bump to 2.2.2, recompiled for TC4 against openssl-1.0.0, removed bash as needed shell
Current: 2017/05/06 Bump to 2.4.1, recompiled for TC8 against openssl-1.0.2k, easy-rsa no longer included, smartcard support too old.
!
}

unpack_app() {
    VER=2.4.1
    DISTFILE="$DIST/openvpn-$VER.tar.xz"
    BUILDDIR="$COMPDIR/openvpn-$VER"
    [ -d "$BUILDDIR" ] || {
tar xf "$DISTFILE"
cp -p "$DISTFILE" "$COMPDIR/src"
    }
}
 
build_app() {
    [ -f configure -a ! -f Makefile ] &&
./configure \
--enable-x509-alt-username \
--disable-plugin-auth-pam \
--prefix=/usr/local

    make
}

install_app() {
    $FAKEROOT make install-strip DESTDIR="$TREEDIR"

    $FAKEROOT xz "$TREEDIR"/usr/local/share/man/man8/openvpn.8
}

################################################################################

main() {
    set -e
    init_app
    mkdir -p "$COMPDIR"/src
    cp -p "$0" "$COMPDIR"/src/.

    cd "$COMPDIR"
    load_build_dep $BUILDDEPS squashfs-tools

    cd "$COMPDIR"
    unpack_app

    cd "$BUILDDIR"
    build_app

    cd "$COMPDIR"
    $FAKEROOT rm -rf "$TREEDIR"
    $FAKEROOT mkdir -m 755 "$TREEDIR"
    $FAKEROOT chmod u-s,g-ws,o-w "$TREEDIR"
    $FAKEROOT chown 0:0 "$TREEDIR"

    cd "$BUILDDIR"
    install_app

    cd "$COMPDIR"
    $FAKEROOT mksquashfs "$TREEDIR" "$TCZNAME".tcz -noappend

    TCZSIZE=$(du -h "$TCZNAME".tcz | cut -f 1)
    info_file > "$TCZNAME".tcz.info
    [ ! -s "$TCZNAME".tcz.info ] ||
cp "$TCZNAME".tcz.info "$REPO"/"$TCZNAME".tcz.info

    mkdir -p "$REPO"
    cp "$TCZNAME".tcz "$REPO"/"$TCZNAME".tcz
    md5sum "$TCZNAME".tcz > "$REPO"/"$TCZNAME".tcz.md5.txt
    (cd "$TREEDIR" ; find . ! -type d | sed 's/^\.\//\//' | sort) > "$REPO"/"$TCZNAME".tcz.list

    {
[ "$BUILDDEPS" != "" ] && {
    echo "$BUILDDEPS" | tr ' ' '\012'
}
    } > "$REPO"/"$TCZNAME".tcz.build-dep

    DEP="$(find_deps)"
    [ -f "$REPO"/"$TCZNAME".tcz.dep ] && rm "$REPO"/"$TCZNAME".tcz.dep
    [ "$DEP" != "" ] && echo "$DEP" > "$REPO"/"$TCZNAME".tcz.dep

    (cd "$COMPDIR"/src; tar czf - *) > "$REPO"/"$TCZNAME".tcz.tgz
}

load_build_dep() {
    # Download and load build depends IF NEEDED.
    # DO NOT put in onboot.lst
    TCEI=/usr/local/tce.installed
    TCEDIR=/etc/sysconfig/tcedir

    for i
    do
ext="${i%.tcz}.tcz"

# Installed, okay.
[ ! -e "$TCEI/${ext%.tcz}" ] || continue

[ -f "$TCEDIR/optional/$ext" ] ||
    tce-load -s -w "$ext"

tce-load -s -l -i "$ext"
    done
}

find_deps() {
    ls -nl $(find "$TREEDIR" -type f -perm /100 -exec ldd {} \; 2>/dev/null |
awk '/=>/{print $3;}') |
awk '/ ->.*\/tmp\/tcloop/{print $NF;}' |
awk -F/ '{print $4 ".tcz";}' |
sort -u
}

main "$@"
Title: Re: Security concerns
Post by: Juanito on May 06, 2017, 09:53:04 PM
The wiki has been created by users for users, so if you'd like to contribute, please feel free.

I don't think anybody is saying that you have to use build scripts, just a simple configure/make/make install would be fine. There are plenty of examples of both in the src directories, for example:

http://www.tinycorelinux.net/8.x/x86_64/tcz/src/

In terms of your build scripts, I don't see where you apply the standard tinycore flags, for example:
Code: [Select]
$ CC="gcc -flto -fuse-linker-plugin -march=i486 -mtune=i686 -Os -pipe" CXX="g++ -flto -fuse-linker-plugin -march=i486 -mtune=i686 -Os -pipe -fno-exceptions -fno-rtti" ./configure --prefix=/usr/local --blah-blah
Title: Re: Security concerns
Post by: coreplayer2 on May 06, 2017, 10:18:59 PM
Hello rdebath

The "audit script"  extension is called "submitqc.tcz" and is available in tc-7 and tc-8 repo's.  I created a script to make extensions, but for consistency and before submitting I always use " submitqc.sh --fix "on all new or updated extension.

The best way to learn how to create an extension is to unsquash a few extensions from the current repo
Code: [Select]
unsquashfs -d sample_ext sample_ext.tcz and examine the contents and the directory construction closely, really it's not at all complicated and in any case you'll need to test it then run
Code: [Select]
submitqc.sh --fix on it before submitting which fixes any general errors. 



To use submitqc;
1. place your new extension in it's own empty directory and
    add a dep file if needed and
    an info file  (best to use an info file from another extension in the repo as a template), then
    (An extension and an info file are the minimum requirements, a dep file as required)
2. run this command from within the above directory
Code: [Select]
submitqc.sh --fix
Note:  download several info files and create a template for yourself  eg: http://tinycorelinux.net/8.x/x86/tcz/firefox_getLatest.tcz.info (http://tinycorelinux.net/8.x/x86/tcz/firefox_getLatest.tcz.info)
Note: submitqc will create any missing files and or will notify you of any issues which need to be fixed manually

place your build script and source code in the directory and zip up the contents then attach to your submissions email.
Title: Re: Security concerns
Post by: patrikg on May 07, 2017, 01:11:37 AM
Don't forget that:

In the http://tinycorelinux.net/7.x/x86/tcz/src/ directory there are lots of sub folders with .build files.

Title: Re: Security concerns
Post by: rdebath on May 07, 2017, 06:06:05 AM
@Juanito
No it doesn't say anything about build scripts (beyond a side note that they would be useful). I want build scripts because I want to be able to instantly rebuild the package against new dependencies and trivially upgrade the source when a new version arrives. OR allow a third party, eg YOU, to do it instead.

Yes, I did forget to add the CFLAGS export, thank you for spotting that.
NB: just for the record putting the options in CC is likely to fail as autoconf will often override them later in the command. Putting eg -Os where you're supposed to in the CFLAGS export tends to work.
NB. 2: Oh excellent, the wiki has the same login as the forum, so many websites don't bother to integrate the authentication.

@coreplayer2
I probably should have cleaned up that message, I did eventually find the submitqc.tcz package.  Your extension doesn't have to be in it's own directory, it's not in the help, but you can name one TCZ on the command line and it'll just do that; it has to be in the current directory for some reason though.

I did end up downloading the repository and looking at lots of the info files; they're not as consistent as I expected so that's okay then.
BTW, no point unsquashing the TCZ files, just mount them.

@patrikg
BIG SIGH, so it looks like there ARE some build scripts, just none what so ever for the current x86 versions.
Oh right, there was a paragraph about -doc and -dev parts somewhere too.
 
Okay I'm gonna download V7 too ... at this rate, I should probably download all of them, shouldn't be more than a couple of hundred gigabytes.
Title: Re: Security concerns
Post by: mocore on May 12, 2017, 03:43:56 AM
I want build scripts because I want to be able to instantly rebuild the package against new dependencies and trivially upgrade the source when a new version arrives. OR allow a third party, eg YOU, to do it instead.
You may find the 'nix pkg mgr' intresting / usefull wrt build scripts / reproducibility!
Title: Re: Security concerns
Post by: JustinCB on June 02, 2017, 07:43:30 AM
The wiki page was very outdated.  I updated it as best I could.  The latest extension auditor in the repo is submitqc7.tcz and submitqc8.tcz is in the pipeline. 
Title: Re: Security concerns
Post by: coreplayer2 on June 02, 2017, 08:22:25 AM
The wiki page was very outdated.  I updated it as best I could.  The latest extension auditor in the repo is submitqc7.tcz and submitqc8.tcz is in the pipeline.
The latest audit extension is "submitqc.tcz" updated 2016/03/17  for all x86 and x86_64 repo's, the older versions (submitqc5.tcz, submitqc6.tcz and submitqc7.tcz) should not even be in the repo's... 
Title: Re: Security concerns
Post by: Juanito on June 02, 2017, 08:51:01 AM
submitqc5, submitqc6 and submitqc7 removed from 6.x/7.x/8.x x86 and x86_64 repos
Title: Re: Security concerns
Post by: coreplayer2 on June 02, 2017, 10:00:17 AM
Cool, gracias :)
Title: Re: Security concerns
Post by: JustinCB on June 06, 2017, 09:50:31 AM
submitqc5, submitqc6 and submitqc7 removed from 6.x/7.x/8.x x86 and x86_64 repos
And submitqc8 posted to the 8.x repo.  Is submitqc6 still in the 6.x repo, submitqc7 still in the 7.x repo or have they all been removed from all the repos? 
Title: Re: Security concerns
Post by: Juanito on June 06, 2017, 10:26:45 AM
I'd understood that submitqc would work in all of the recent repos so I removed all of the submitqcx extensions - submitqc8 was not there at the time.
Title: Re: Security concerns
Post by: JustinCB on June 06, 2017, 10:37:52 AM
submitqcx.tcz is lighter than submitqc.tcz, but has much(but not all) of the same functionality.  This is why I believe that it is still useful(but, of course outdated versions not for the current release need not be in the repository[as long as submitqcx.tcz for the current release exists]). 
Title: Re: Security concerns
Post by: coreplayer2 on June 06, 2017, 01:41:22 PM
Some history here...

the older versions have errors or are broken to some degree or other.  They are not suitable for all TC versions and compared to the current version "submitqc" are missing some key features needed to create consistent extensions ready for submission.

Also, in the past we made some errors with the naming of each extension version.  As per the original audit instructions http://forum.tinycorelinux.net/index.php/topic,330.msg1999.html#msg1999 It's advised to submit extensions without the version appended to it's name, that's a rule we broke in the past but was fixed by the current "submitqc" extension maintainer.

While we have attempted to fix many of these errors as they developed along the way, it is dentonlt (the current extension maintainer AFAIK) who reconstructed submitqc  into a reliable cross-version audit extension which produces consistent results.  For this he deserves all the credit.

Since we were responsible for putting temporary band-aids on some of the older submitqc versions.  With the new submitqc version in place I'm quite confident the community will be better served with these older versions removed completely from all repos. 
besides, the older versions did not fit the naming convention (except perhaps the original by Jason)


I was not aware "dentonlt" has submitted an updated "submitqc" extension??   If he had I'd be surprised if "submitqc8" would've been used as it's name.

The only currently functioning version which works consistently across TC x86, x86_64 and armv7 versions is "submitqc"   
Title: Re: Security concerns
Post by: Juanito on June 07, 2017, 01:24:58 AM
Whilst it's great to receive user submitted extensions, there's a risk of causing confusion with the submitqc extensions - thus submitqc5, submitqc6, submitqc7 and submitqc8 removed in favour of only maintaining and working with submitqc.

All suggestions for improvements will no doubt be gratefully received.