WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Security concerns  (Read 6470 times)

Offline Looper

  • Newbie
  • *
  • Posts: 47
Security concerns
« on: May 04, 2017, 05:42:24 PM »
we don't have ssh guard or CSF ( configServer Security & Firewall) or fail2ban ,...etc.
what can i do ?
« Last Edit: May 04, 2017, 05:45:11 PM by Looper »

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: Security concerns
« Reply #1 on: May 04, 2017, 06:07:13 PM »
You can wait, and hope someone will compile and submit them, or compile them yourself.
If you compile them, please submit them as described in the wiki.

Offline hiro

  • Hero Member
  • *****
  • Posts: 1229
Re: Security concerns
« Reply #2 on: May 05, 2017, 05:15:51 AM »
i suggest outsourcing security liabilities to a company with a good lawyer department. keeps the hopes up while the system can stay simple.

Offline rdebath

  • Newbie
  • *
  • Posts: 13
Re: Security concerns
« Reply #3 on: May 05, 2017, 10:42:34 PM »
If you compile them, please submit them as described in the wiki.
Where in the wiki?
 
--
Robert

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11704
Re: Security concerns
« Reply #4 on: May 05, 2017, 10:45:41 PM »

Offline rdebath

  • Newbie
  • *
  • Posts: 13
Re: Security concerns
« Reply #5 on: May 06, 2017, 05:57:48 AM »
That page isn't really much help.
For example, it has a pointer to an "audit  script" which doesn't run and a couple of other scripts which it says don't use.

... I was going to complain here, but really it's not a topic for a reply.
--
Robert

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14851
Re: Security concerns
« Reply #6 on: May 06, 2017, 08:11:14 AM »
which aspect of creating an extension would you like more help with?

Offline rdebath

  • Newbie
  • *
  • Posts: 13
Re: Security concerns
« Reply #7 on: May 06, 2017, 11:50:13 AM »
Hi Juanito,

Okay, as you've responded I will paste this message here, it probably
reads a little aggressively. But rather than clean it up I'll just say
that it's a picture of how frustrating the process is. The question at
the end still applies though, have I missed anything?

Mostly my complaint is that documentation is wrong. But missing
documentation and badly scattered documentation isn't much better.

That page in the wiki is "how to compile programs" then email it to
this address.

It has little about what rules you'd like for submitted extensions.

It says nothing about how build scripts should be styled, or where to
stick them.

It does reference tcztools, a URL pointing at a rather old Half Gigabyte
project on the Google code archive but almost states you shouldn't use it.

It has a pointer to an "audit script" which doesn't run.

There is a reference to a "submitqc4" script but no indication as to
what or where it is, it's supposed to create the zsync file.

Eventually I guessed the name of the "audit script" in the repository
despite the explicit statement that it wasn't in the repository in the
linked forum messages.

The link to the "Guidelines" message seems to have two points, License,
and look in the 'News section under TC Extensions.' Neither of which is
helpful at this stage.

There's little indication what the various item in the info file
are for. Mostly that's okay, but "Tags", "Current" and probably
"Change-log" need more detail.  Even the comments section probably needs
recommendations on contents. For example, should it really be called
"Long-description" ?

I'm also unclear what "build-dep" is actually for, from the example
it seems to be "build comments". I expect it was just included because
there doesn't seem to be anywhere to put a build script. So if I have
a build script should it actually go in that file.

But currently I'm guessing it goes in the ".tcz.tgz" file with a copy
of the exact source that was used to build it.

I think I've mostly discarded the old debris in the "documentation",
but frankly I expect I've still missed something. So here's a couple of
copies of a simple build script, does it do the right thing?


Code: [Select]
#!/bin/sh -

init_app() {
    TCZNAME="easyrsa"
    BUILDDEPS=''

    COMPDIR="$(pwd)/tcz-comp/$TCZNAME"
    BUILDDIR="$COMPDIR/build"
    TREEDIR="$COMPDIR/tcztree"
    REPO="$HOME/repo"
    DIST="$HOME/dist"
    FAKEROOT=sudo
}

info_file() {
cat <<!
Title: easyrsa.tcz
Description: OpenVPN - Easy RSA scripts
Version: $VER
Author: Various
Original-site: http://openvpn.net
Copying-policy: GPL (see usr/local/share/doc/openvpn/COPYING)
Size: $TCZSIZE
Extension_by: rdebath
Tags: OpenSSL easy
Comments: Downloaded from
https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz

Change-log: 2017-05-06 Initial release replacing OpenVPN embed.
Current: 2017-05-06 Initial release replacing OpenVPN embed.
!
}

unpack_app() {
    VER=3.0.1
    DISTFILE="$DIST/EasyRSA-3.0.1.tgz"
    BUILDDIR="$COMPDIR/EasyRSA-$VER"
    [ -d "$BUILDDIR" ] || {
tar xf "$DISTFILE"
cp -p "$DISTFILE" "$COMPDIR/src"
    }
}
 
build_app() {
    PREFIX=/usr/local
    find_deps() { echo openssl.tcz ; }
}

install_app() {
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/bin
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/lib/easyrsa
    $FAKEROOT mkdir -p "$TREEDIR$PREFIX"/share/doc/easyrsa

    $FAKEROOT cp -rp x509-types easyrsa openssl-1.0.cnf "$TREEDIR$PREFIX"/lib/easyrsa/.

    $FAKEROOT cp -rp ChangeLog doc COPYING README.quickstart.md vars.example gpl-2.0.txt "$TREEDIR$PREFIX"/share/doc/easyrsa/.

    $FAKEROOT chown -R 0:0 "$TREEDIR$PREFIX"/lib/easyrsa "$TREEDIR$PREFIX"/share/doc/easyrsa
    $FAKEROOT chmod -R g-s "$TREEDIR$PREFIX"/lib/easyrsa "$TREEDIR$PREFIX"/share/doc/easyrsa

    $FAKEROOT dd of="$TREEDIR$PREFIX"/bin/easyrsa 2>/dev/null <<-!
#!/bin/sh
export EASYRSA="$PREFIX"/lib/easyrsa
export EASYRSA_PKI=/opt/easyrsa
mkdir -p "\$EASYRSA_PKI"
exec sh "$PREFIX/lib/easyrsa/easyrsa" "$@"
!

    $FAKEROOT chmod +x "$TREEDIR$PREFIX"/bin/easyrsa
}

################################################################################

main() {
    set -e
    init_app
    mkdir -p "$COMPDIR"/src
    cp -p "$0" "$COMPDIR"/src/.

    cd "$COMPDIR"
    load_build_dep $BUILDDEPS squashfs-tools

    cd "$COMPDIR"
    unpack_app

    cd "$BUILDDIR"
    build_app

    cd "$COMPDIR"
    $FAKEROOT rm -rf "$TREEDIR"
    $FAKEROOT mkdir -m 755 "$TREEDIR"
    $FAKEROOT chmod u-s,g-ws,o-w "$TREEDIR"
    $FAKEROOT chown 0:0 "$TREEDIR"

    cd "$BUILDDIR"
    install_app

    cd "$COMPDIR"
    $FAKEROOT mksquashfs "$TREEDIR" "$TCZNAME".tcz -noappend

    TCZSIZE=$(du -h "$TCZNAME".tcz | cut -f 1)
    info_file > "$TCZNAME".tcz.info
    [ ! -s "$TCZNAME".tcz.info ] ||
cp "$TCZNAME".tcz.info "$REPO"/"$TCZNAME".tcz.info

    mkdir -p "$REPO"
    cp "$TCZNAME".tcz "$REPO"/"$TCZNAME".tcz
    md5sum "$TCZNAME".tcz > "$REPO"/"$TCZNAME".tcz.md5.txt
    (cd "$TREEDIR" ; find . ! -type d | sed 's/^\.\//\//' | sort) > "$REPO"/"$TCZNAME".tcz.list

    {
[ "$BUILDDEPS" != "" ] && {
    echo "$BUILDDEPS" | tr ' ' '\012'
}
    } > "$REPO"/"$TCZNAME".tcz.build-dep

    DEP="$(find_deps)"
    [ -f "$REPO"/"$TCZNAME".tcz.dep ] && rm "$REPO"/"$TCZNAME".tcz.dep
    [ "$DEP" != "" ] && echo "$DEP" > "$REPO"/"$TCZNAME".tcz.dep

    (cd "$COMPDIR"/src; tar czf - *) > "$REPO"/"$TCZNAME".tcz.tgz
}

load_build_dep() {
    # Download and load build depends IF NEEDED.
    # DO NOT put in onboot.lst
    TCEI=/usr/local/tce.installed
    TCEDIR=/etc/sysconfig/tcedir

    for i
    do
ext="${i%.tcz}.tcz"

# Installed, okay.
[ ! -e "$TCEI/${ext%.tcz}" ] || continue

[ -f "$TCEDIR/optional/$ext" ] ||
    tce-load -s -w "$ext"

tce-load -s -l -i "$ext"
    done
}

find_deps() {
    ls -nl $(find "$TREEDIR" -type f -perm /100 -exec ldd {} \; 2>/dev/null |
awk '/=>/{print $3;}') |
awk '/ ->.*\/tmp\/tcloop/{print $NF;}' |
awk -F/ '{print $4 ".tcz";}' |
sort -u
}

main "$@"

Code: [Select]
#!/bin/sh -

init_app() {
    TCZNAME="openvpn"
    BUILDDEPS='compiletc bash openssl-dev lzo-dev openssl lzo squashfs-tools xz'

    COMPDIR="$(pwd)/tcz-comp/$TCZNAME"
    BUILDDIR="$COMPDIR/build"
    TREEDIR="$COMPDIR/tcztree"
    REPO="$HOME/repo"
    DIST="$HOME/dist"
    FAKEROOT=sudo
}

info_file() {
cat <<!
Title: openvpn.tcz
Description: OpenVPN - Open Source Virtual Private Network
Version: $VER
Author: Various
Original-site: http://openvpn.net
Copying-policy: GPL (see usr/local/share/doc/openvpn/COPYING)
Size: $TCZSIZE
Extension_by: rdebath
Tags: VPN connection network OpenVPN
Comments: For further information please visit
http://openvpn.net/index.php/open-source/documentation/howto.html

For client access use:
$ sudo openvpn --config /path/to/your/conf

---
Change-log: 2010/10/24 Initial version 2.1.3
2010/11/19 Resolved iproute2 dep, bump to 2.1.4
2012/03/09 Bump to 2.2.2, recompiled for TC4 against openssl-1.0.0, removed bash as needed shell
Current: 2017/05/06 Bump to 2.4.1, recompiled for TC8 against openssl-1.0.2k, easy-rsa no longer included, smartcard support too old.
!
}

unpack_app() {
    VER=2.4.1
    DISTFILE="$DIST/openvpn-$VER.tar.xz"
    BUILDDIR="$COMPDIR/openvpn-$VER"
    [ -d "$BUILDDIR" ] || {
tar xf "$DISTFILE"
cp -p "$DISTFILE" "$COMPDIR/src"
    }
}
 
build_app() {
    [ -f configure -a ! -f Makefile ] &&
./configure \
--enable-x509-alt-username \
--disable-plugin-auth-pam \
--prefix=/usr/local

    make
}

install_app() {
    $FAKEROOT make install-strip DESTDIR="$TREEDIR"

    $FAKEROOT xz "$TREEDIR"/usr/local/share/man/man8/openvpn.8
}

################################################################################

main() {
    set -e
    init_app
    mkdir -p "$COMPDIR"/src
    cp -p "$0" "$COMPDIR"/src/.

    cd "$COMPDIR"
    load_build_dep $BUILDDEPS squashfs-tools

    cd "$COMPDIR"
    unpack_app

    cd "$BUILDDIR"
    build_app

    cd "$COMPDIR"
    $FAKEROOT rm -rf "$TREEDIR"
    $FAKEROOT mkdir -m 755 "$TREEDIR"
    $FAKEROOT chmod u-s,g-ws,o-w "$TREEDIR"
    $FAKEROOT chown 0:0 "$TREEDIR"

    cd "$BUILDDIR"
    install_app

    cd "$COMPDIR"
    $FAKEROOT mksquashfs "$TREEDIR" "$TCZNAME".tcz -noappend

    TCZSIZE=$(du -h "$TCZNAME".tcz | cut -f 1)
    info_file > "$TCZNAME".tcz.info
    [ ! -s "$TCZNAME".tcz.info ] ||
cp "$TCZNAME".tcz.info "$REPO"/"$TCZNAME".tcz.info

    mkdir -p "$REPO"
    cp "$TCZNAME".tcz "$REPO"/"$TCZNAME".tcz
    md5sum "$TCZNAME".tcz > "$REPO"/"$TCZNAME".tcz.md5.txt
    (cd "$TREEDIR" ; find . ! -type d | sed 's/^\.\//\//' | sort) > "$REPO"/"$TCZNAME".tcz.list

    {
[ "$BUILDDEPS" != "" ] && {
    echo "$BUILDDEPS" | tr ' ' '\012'
}
    } > "$REPO"/"$TCZNAME".tcz.build-dep

    DEP="$(find_deps)"
    [ -f "$REPO"/"$TCZNAME".tcz.dep ] && rm "$REPO"/"$TCZNAME".tcz.dep
    [ "$DEP" != "" ] && echo "$DEP" > "$REPO"/"$TCZNAME".tcz.dep

    (cd "$COMPDIR"/src; tar czf - *) > "$REPO"/"$TCZNAME".tcz.tgz
}

load_build_dep() {
    # Download and load build depends IF NEEDED.
    # DO NOT put in onboot.lst
    TCEI=/usr/local/tce.installed
    TCEDIR=/etc/sysconfig/tcedir

    for i
    do
ext="${i%.tcz}.tcz"

# Installed, okay.
[ ! -e "$TCEI/${ext%.tcz}" ] || continue

[ -f "$TCEDIR/optional/$ext" ] ||
    tce-load -s -w "$ext"

tce-load -s -l -i "$ext"
    done
}

find_deps() {
    ls -nl $(find "$TREEDIR" -type f -perm /100 -exec ldd {} \; 2>/dev/null |
awk '/=>/{print $3;}') |
awk '/ ->.*\/tmp\/tcloop/{print $NF;}' |
awk -F/ '{print $4 ".tcz";}' |
sort -u
}

main "$@"
--
Robert

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14851
Re: Security concerns
« Reply #8 on: May 07, 2017, 12:53:04 AM »
The wiki has been created by users for users, so if you'd like to contribute, please feel free.

I don't think anybody is saying that you have to use build scripts, just a simple configure/make/make install would be fine. There are plenty of examples of both in the src directories, for example:

http://www.tinycorelinux.net/8.x/x86_64/tcz/src/

In terms of your build scripts, I don't see where you apply the standard tinycore flags, for example:
Code: [Select]
$ CC="gcc -flto -fuse-linker-plugin -march=i486 -mtune=i686 -Os -pipe" CXX="g++ -flto -fuse-linker-plugin -march=i486 -mtune=i686 -Os -pipe -fno-exceptions -fno-rtti" ./configure --prefix=/usr/local --blah-blah

Offline coreplayer2

  • Hero Member
  • *****
  • Posts: 3020
Re: Security concerns
« Reply #9 on: May 07, 2017, 01:18:59 AM »
Hello rdebath

The "audit script"  extension is called "submitqc.tcz" and is available in tc-7 and tc-8 repo's.  I created a script to make extensions, but for consistency and before submitting I always use " submitqc.sh --fix "on all new or updated extension.

The best way to learn how to create an extension is to unsquash a few extensions from the current repo
Code: [Select]
unsquashfs -d sample_ext sample_ext.tcz and examine the contents and the directory construction closely, really it's not at all complicated and in any case you'll need to test it then run
Code: [Select]
submitqc.sh --fix on it before submitting which fixes any general errors. 



To use submitqc;
1. place your new extension in it's own empty directory and
    add a dep file if needed and
    an info file  (best to use an info file from another extension in the repo as a template), then
    (An extension and an info file are the minimum requirements, a dep file as required)
2. run this command from within the above directory
Code: [Select]
submitqc.sh --fix
Note:  download several info files and create a template for yourself  eg: http://tinycorelinux.net/8.x/x86/tcz/firefox_getLatest.tcz.info
Note: submitqc will create any missing files and or will notify you of any issues which need to be fixed manually

place your build script and source code in the directory and zip up the contents then attach to your submissions email.
« Last Edit: May 07, 2017, 01:51:44 AM by coreplayer2 »

Offline patrikg

  • Wiki Author
  • Hero Member
  • *****
  • Posts: 723
Re: Security concerns
« Reply #10 on: May 07, 2017, 04:11:37 AM »
Don't forget that:

In the http://tinycorelinux.net/7.x/x86/tcz/src/ directory there are lots of sub folders with .build files.


Offline rdebath

  • Newbie
  • *
  • Posts: 13
Re: Security concerns
« Reply #11 on: May 07, 2017, 09:06:05 AM »
@Juanito
No it doesn't say anything about build scripts (beyond a side note that they would be useful). I want build scripts because I want to be able to instantly rebuild the package against new dependencies and trivially upgrade the source when a new version arrives. OR allow a third party, eg YOU, to do it instead.

Yes, I did forget to add the CFLAGS export, thank you for spotting that.
NB: just for the record putting the options in CC is likely to fail as autoconf will often override them later in the command. Putting eg -Os where you're supposed to in the CFLAGS export tends to work.
NB. 2: Oh excellent, the wiki has the same login as the forum, so many websites don't bother to integrate the authentication.

@coreplayer2
I probably should have cleaned up that message, I did eventually find the submitqc.tcz package.  Your extension doesn't have to be in it's own directory, it's not in the help, but you can name one TCZ on the command line and it'll just do that; it has to be in the current directory for some reason though.

I did end up downloading the repository and looking at lots of the info files; they're not as consistent as I expected so that's okay then.
BTW, no point unsquashing the TCZ files, just mount them.

@patrikg
BIG SIGH, so it looks like there ARE some build scripts, just none what so ever for the current x86 versions.
Oh right, there was a paragraph about -doc and -dev parts somewhere too.
 
Okay I'm gonna download V7 too ... at this rate, I should probably download all of them, shouldn't be more than a couple of hundred gigabytes.
--
Robert

Offline mocore

  • Hero Member
  • *****
  • Posts: 667
  • ~.~
Re: Security concerns
« Reply #12 on: May 12, 2017, 06:43:56 AM »
I want build scripts because I want to be able to instantly rebuild the package against new dependencies and trivially upgrade the source when a new version arrives. OR allow a third party, eg YOU, to do it instead.
You may find the 'nix pkg mgr' intresting / usefull wrt build scripts / reproducibility!

Offline JustinCB

  • Newbie
  • *
  • Posts: 28
Re: Security concerns
« Reply #13 on: June 02, 2017, 10:43:30 AM »
The wiki page was very outdated.  I updated it as best I could.  The latest extension auditor in the repo is submitqc7.tcz and submitqc8.tcz is in the pipeline. 

Offline coreplayer2

  • Hero Member
  • *****
  • Posts: 3020
Re: Security concerns
« Reply #14 on: June 02, 2017, 11:22:25 AM »
The wiki page was very outdated.  I updated it as best I could.  The latest extension auditor in the repo is submitqc7.tcz and submitqc8.tcz is in the pipeline.
The latest audit extension is "submitqc.tcz" updated 2016/03/17  for all x86 and x86_64 repo's, the older versions (submitqc5.tcz, submitqc6.tcz and submitqc7.tcz) should not even be in the repo's...