WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: To make Tiny Core Linux a superfortress of security...  (Read 35978 times)

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: To make Tiny Core Linux a superfortress of security...
« Reply #30 on: February 08, 2011, 06:45:45 AM »
Possibly graphics driver modules, depending on card.
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #31 on: February 08, 2011, 12:40:10 PM »
You can use microcore, omit the Xvesa.gz package and use the Xorg-7.5 extension and deps instead.

Thanks for pointing it out! Will do that.

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #32 on: February 08, 2011, 09:43:58 PM »
OK. Following Juanito's advice, I started with a fresh installation of microcore, unpacked on hard drive and booted there (I guess "scattered" is what you call it) to which I (manually) added Xlibs and Xprogs (but not Xvesa), and later Xorg-7.5, Xorg-7.5-lib, Xorg-7.5-bin, Xorg-fonts and Xorg-7.5-xgi.

By the way, unpacked, microcore was a mere 9.5 MB. After adding the above, it has grown to over 50 MB. WOWOW! I guess that's a price the security paranoid must be prepared to pay  :o (and the reason why tinycore compromises with the much less desirable Xvesa - to remain small).

Now, with no special booting codes, the new system boots into a shell with user tc logged in. Entering 'startx' gets the following error message:

cat: can't open '/etc/sysconfig/Xserver': No such file or directory

So, I added a file named Xserver to /etc/sysconfig with "Xorg" written in it and rebooted the system.
At the end of the booting sequence the system now hangs for 10 seconds (it seems about to start the X server) but then gives the following message and boots, again, to a shell console:

hsetroot[3702]: segfault at 88 ip 08049cb4 sp bf927350 error 4 in hsetroot[8048000+4000]
tc@box:~$

Have I forgotten to add some required extension, or does anybody know what's going on here?

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: To make Tiny Core Linux a superfortress of security...
« Reply #33 on: February 08, 2011, 10:15:19 PM »
the reason why tinycore compromises with the much less desirable Xvesa - to remain small

compromises?
That is a matter of choice and preference, I couldn't see any compromise there at all, and e.g. for me would be one of the basic criteria in choosing a system, despite that I would admit that under many circumstances I would prefer the newer Xvesa extension and have occasionally even used Xorg, but it can make sense that whatever is smaller is chosen as default.

"the much less desirable Xvesa" according to your preferences which you make it sound like they would be shared by everyone...
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14849
Re: To make Tiny Core Linux a superfortress of security...
« Reply #34 on: February 08, 2011, 10:41:48 PM »
Have I forgotten to add some required extension, or does anybody know what's going on here?

I've never tried this in scatter mode, but - based on tc-3.4 - if you do the following in "normal" mode, things should work:

1. Xprogs.gz, Xlibs.gz in /tce
2. flwm.tcz, wbar.tcz, Xorg-7.5.tcz (and deps) in /tce/optional and set "onboot"

You can subtitute flwm/wbar with the wm of your choice.

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #35 on: February 08, 2011, 11:17:50 PM »
"the much less desirable Xvesa" according to your preferences which you make it sound like they would be shared by everyone...

Not my intention... I was of course expressing my own personal view, which is one that places much importance on security... Xvesa being insecure when compared to Xorg... Hence, based on my personal preference, viewing the use of the less secure Xvesa as a trade for the sake of keeping the system small. Nothing more was implied... A question of semantics, I guess.  :)

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #36 on: February 08, 2011, 11:23:08 PM »
Have I forgotten to add some required extension, or does anybody know what's going on here?

I've never tried this in scatter mode, but - based on tc-3.4 - if you do the following in "normal" mode, things should work:

1. Xprogs.gz, Xlibs.gz in /tce
2. flwm.tcz, wbar.tcz, Xorg-7.5.tcz (and deps) in /tce/optional and set "onboot"

You can subtitute flwm/wbar with the wm of your choice.

Scatter mode shouldn't make any difference. I didn't do the flwm.tcz and wbar.tcz....I guess that's where the problem is at. Also, it might be deps... Can you tell me what the deps for Xorg-7.5.tcz are, because I'm in a situation where I'm forced to install the files manually. Thanks for your help.  :)

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14849
Re: To make Tiny Core Linux a superfortress of security...
« Reply #37 on: February 09, 2011, 12:17:05 AM »
As per the dep file, the basic deps are:

pixman.tcz
fontconfig.tcz [-> expat2.tcz]
openssl-0.9.8.tcz
Xorg-7.5-bin.tcz
Xorg-7.5-lib.tcz
Xorg-fonts.tcz

However, depending on your chipset, you might need more than this.
« Last Edit: February 09, 2011, 12:20:14 AM by Juanito »

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #38 on: February 09, 2011, 12:39:59 AM »
I went to the current download repository but the info files for both flwm.tcz and wbar.tcz show that these extensions refer to earlier versions of tiny/microcore. So what I did is I copied the equivalent files directly from tinycore-3.4.1 to microcore-3.4.1 to make sure everything would fit right.
However, upon booting up, I now get the same hsetroot error message. It must be a missing dep.
As a matter of fact, something did come up the very first time I booted microcore after installing Xorg referring to a missing libpixman-1.so.1 - and I see the same in your list of basic deps. So, I'm pretty sure that after adding these missing deps everything will be fine. I'll do that tomorrow.
I really appreciate all your help, Juanito. Thank you so much!
« Last Edit: February 09, 2011, 12:41:51 AM by lolouis »

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: To make Tiny Core Linux a superfortress of security...
« Reply #39 on: February 09, 2011, 06:36:25 AM »
"the much less desirable Xvesa" according to your preferences which you make it sound like they would be shared by everyone...

Not my intention... I was of course expressing my own personal view, which is one that places much importance on security... Xvesa being insecure when compared to Xorg... Hence, based on my personal preference, viewing the use of the less secure Xvesa as a trade for the sake of keeping the system small. Nothing more was implied... A question of semantics, I guess.  :)

We appear to look at things from the opposite POV:
To me it would be a tradeoff to imminently and constantly sacrifice the need of only a friction of resources and a significant permanent gain in performance (at least so without KMS which I haven't happened to use so far) for the potential theoretical security to be gained.

On a sidenote:
I would estimate the loss of security when attempting to run TC in scatter mode (in comparison to default mode) to amount to a multiple of the increase of security which could be gained by replacing Xvesa with Xorg.
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #40 on: February 09, 2011, 02:51:44 PM »
I'll do that tomorrow.

@Juanito

I've added all the listed deps (including expat2.tcz) and now the system boots fast into Xwindows, gets the blue screen with TC logo...but NO ICONS and a frozen mouse pointer in the center of the screen. It stays frozen that way.
CTRL-BACKSPACE got me to a console prompt...I ran 'sudo ldconfig' (did not know what else to do) and restarted Xorg with 'startx." Same result as before.
I have, on this particular computer, an ATI Rage 128 Pro video card. I looked into /usr/local/lib/X11/modules/drivers and the ati_drv.so and r128_drv.so drivers for the card are right in there.

Possibly a configuration problem? What could this be?

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #41 on: February 09, 2011, 03:01:55 PM »
We appear to look at things from the opposite POV:
To me it would be a tradeoff to imminently and constantly sacrifice the need of only a friction of resources and a significant permanent gain in performance (at least so without KMS which I haven't happened to use so far) for the potential theoretical security to be gained.

Agreed, definitely....we look at the same thing from two different perspectives.

Quote
On a sidenote:
I would estimate the loss of security when attempting to run TC in scatter mode (in comparison to default mode) to amount to a multiple of the increase of security which could be gained by replacing Xvesa with Xorg.

If you had read my earlier posts in this thread, you'd have known that I currently have TCL in scatter mode only for the easiness it affords for making the needed changes until the time comes for repacking. I'd never use it online on a regular basis in scatter mode. It will be run in ram (TC's standard way) on my modern machines and let's see how things turn out to be with my 96MB-RAM laptop.... If too much to handle for the old chap, I'll run it there as a compressed filesystem (unionfs + LZMA-compressed squashfs, or perhaps aufs + LZMA-squashfs) - the way some LIVE-CD distros are run.

Don't forget that with Xvesa any malicious code that gets its way into your machine while you are online automatically acquires root privileges. With Xorg, on the other hand, you can surf online as an unprivileged user and thus limit that sort of damage.

That said, your POV is not without merit, of course. It all depends on what you do with your computer. For instance, for doing general project research on the web or engaging in light talks with your friends in chat rooms (provided nothing valuable is stored on your machine), sure, I have no problem with it at all, that's the way to go... But for more sensitive tasks, say, as online banking (and I can think of several other highly sensitive tasks), that's were the extra security that comes with Xorg really pays off. Again, it depends on what you intend to do (and do) with your computer.
« Last Edit: February 09, 2011, 03:13:02 PM by lolouis »

Offline tinypoodle

  • Hero Member
  • *****
  • Posts: 3857
Re: To make Tiny Core Linux a superfortress of security...
« Reply #42 on: February 09, 2011, 03:18:19 PM »
Ah, ok, makes much more sense to me now, though I have my doubts about easiness of a scatter mode exercise.

Isn't surfing as unprivileged user dependent on PID owner of app accessing the net, rather than on PID owner of X?

Not sure how X is related to that, as there are many apps (including browsers) which can access the net without presence of any X server.
"Software gets slower faster than hardware gets faster." Niklaus Wirth - A Plea for Lean Software (1995)

Offline lolouis

  • Newbie
  • *
  • Posts: 43
Re: To make Tiny Core Linux a superfortress of security...
« Reply #43 on: February 09, 2011, 03:49:47 PM »
Ah, ok, makes much more sense to me now, though I have my doubts about easiness of a scatter mode exercise.

Very easily done...at least I have much practice with this sort of thing.

Quote
Isn't surfing as unprivileged user dependent on PID owner of app accessing the net, rather than on PID owner of X?

My understanding is that if you, for instance, surf with the opera browser in Xorg as an unprivileged user and someone gets to own your account through it, the access they have to the system and the damage they can do to it is limited to what you can do as that unprivileged user. Not so with Xvesa.
Provided, of course, that you actually have the possibility of logging into the system as a solidly unprivileged user....which is the reason motivating the changes I described in one of my earlier posts.

Quote
Not sure how X is related to that, as there are many apps (including browsers) which can access the net without presence of any X server.

Of course. But here the premise is that you have installed Xwindows on your system (be it Xorg or Xvesa) to actually do stuff with it on the web. Otherwise, why would you have installed Xwindows at all? :) My only reason for having Xwindows on a minimalist OS is the possibility if affords to use a graphic browser....otherwise I could very well do without it.

My friend, it's a pleasure talking with you. My reason for being here, however, is to achieve a working install of TCL that satisfies my needs, and I don't care much for investing any further time into explaining or justifying my choices. Time is money and I got work to do...bye bye. :)
« Last Edit: February 09, 2011, 04:09:23 PM by lolouis »

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14849
Re: To make Tiny Core Linux a superfortress of security...
« Reply #44 on: February 09, 2011, 10:21:49 PM »
I've added all the listed deps (including expat2.tcz) and now the system boots fast into Xwindows, gets the blue screen with TC logo...but NO ICONS and a frozen mouse pointer in the center of the screen. It stays frozen that way.
CTRL-BACKSPACE got me to a console prompt...I ran 'sudo ldconfig' (did not know what else to do) and restarted Xorg with 'startx." Same result as before.
I have, on this particular computer, an ATI Rage 128 Pro video card. I looked into /usr/local/lib/X11/modules/drivers and the ati_drv.so and r128_drv.so drivers for the card are right in there.

There's a parameter /etc/sysconfig/Xserver that is used by tc to signal if Xvesa or Xorg is being used - perhaps in your scatter install this parameter was not set?

It is also possible that you need an xorg.conf to properly configure your graphics card rather than relying on the automatic configuration.
« Last Edit: February 09, 2011, 10:24:48 PM by Juanito »