Tiny Core Linux
Tiny Core Base => TCB Talk => Topic started by: Roberto A. Foglietta on August 10, 2021, 08:13:16 PM
-
Hi all,
I suggest the following modification to the core:
- replace fdisk from busybox with real fdisk because it more friendly with scripts and more informative
- add base64 in busybox as applet because it is useful to embedded binary data in scripts
Thank you,
-R
-
Sorry, neither change is useful for the base. No base script embeds binary data, and they work with the busybox fdisk options.
-
Dear Curaga,
your user base might be larger than you think: also those are interested in using TC for embedded systems for example.
I assume that they are a small fraction of users but for sure they could contribute more than average desktop user.
I suggest to use this patch for busybox nosuid config, it adds only 4Kb in size
original version:
600600 bytes (601 kB, 587 KiB)
suggested version:
604696 bytes (605 kB, 591 KiB)
Thank you,
-R
-
I understand your concern, however keeping TC small is one of its main points. One man's feature is another's bloat.
CONFIG_FEATURE_CMDLINE_MODULE_OPTIONS=y looks fine, but not sure about the others. In particular linking bash to ash is just going to break users' scripts.
-
Dear Curaga,
4kb is very small bloat but I see your point, 4kb today, 4kb tomorrow, etc. ​However, it remains a small size to add.
The base64 is included in a 2MB tce and it the only reasonable way to embedded binary data into scripts / text.
Other features increase compatibility also for desktop users and this it is a good thing.
About linking bash to ash: at the moment if bash is not installed the scripts based on bash will simply fails.
Obviously, it might be better that they fails immediately than seem to work. I can understand the point.
Do whatever you think sane, please.
Thank you,
-R
-
Hi Roberto A. Foglietta
... The base64 is included in a 2MB tce and it the only reasonable way to embedded binary data into scripts / text. ...
True, but you can separate base64 into its own extension. Base64 is 30k and compresses down to 16k in an extension:
tc@E310:~/sq$ ls -l base64/usr/local/bin/base64
-rwxr-xr-x 1 tc staff 30316 Aug 11 13:26 base64/usr/local/bin/base64
tc@E310:~/sq$ ls -l
total 20
drwxr-sr-x 3 tc staff 4096 Aug 11 13:29 base64/
-rw-r--r-- 1 tc staff 16384 Aug 11 13:30 base64.tcz
tc@E310:~/sq$
-
Hi Rich, is there an easy way to create a tcz inside TC? Thank you, R.
EDIT: using mksquashfs with tce-load -wi squashfs-tools.tcz
EDIT2: however, the last version of TinyCore Editor (suite) [1] allows me to quickly modify the source code and the config of the busybox including adding patches and deploy the last version. Moreover, it lets me to include the compiled busybox into a the rootfs.gz/core.gz with a single command.
NOTE: if you want to add "Provide compatible behavior for rare corner cases" which is useful for desktop then base64 and nproc do not add extra size but stays into that 4KB. A free run, with a useful extension.
[1] https://github.com/robang74/tinycore-editor
-
Hi Roberto A. Foglietta
Hi Rich, is there an easy way to create a tcz inside TC? ...
Yes there is.
First create a work directory containing the subdirectories you need, for example:
mkdir -p package/usr/local/binmkdir -p package/usr/local/share/applicationsmkdir -p package/usr/local/share/pixmaps
Populate those directories with the files you need. Then pack it up:
mksquashfs package MyExtension.tcz
-
Why do not use the following option in busybox? It can replace the busybox.suid approach.
(yes) Drop SUID state for most applets
(yes) Enable SUID configuration via /etc/busybox.conf (NEW)
(no) Suppress warning message if /etc/busybox.conf is not readable (NEW)
Used in combination with this /etc/busybox.conf [1] and obviously with the suided busybox, it will reduce size and simplify things: just one compilation and one binary instead of two.
original version:
600600 bytes (601 kB, 587 KiB) nosuid
75720 bytes (76 kB, 74 KiB) suid
suggested version:
604696 bytes (605 kB, 591 KiB) nosuid
75720 bytes (76 kB, 74 KiB) suid
suggested version but single file
637464 bytes (637 kB, 623 KiB) single
In attachment the configuration file for a single file busybox.
As you can see my original version is 40kb larger because than yours (540kB) because I use -O2 for compilation.
I wish to receive a suggestion to use -Os because I tried to add to CFLAGS but it is ignored.
[1] http://lists.busybox.net/pipermail/busybox/2004-May/045643.html
-
This is /etc/busybox.conf for the change suggested above
-
If you adopt the single busybox file solution like I did in my suite, then
etc/init.d/busybox-aliases
etc/init.d/tc-config
should be purged by busybox.suid
Probably the etc/init.d/busybox-aliases becomes useless and might be removed.
Moreover with this you will save 14kB
roberto@vm-ubuntu18:~/tinycore-editor/tinycore$ advdef -z3 modules.gz
8106613 8092402 99% modules.gz
8106613 8092402 99%
roberto@vm-ubuntu18:~/tinycore-editor/tinycore$ echo $[8106613-8092402]
14211
-
Hi Roberto A. Foglietta
... I wish to receive a suggestion to use -Os because I tried to add to CFLAGS but it is ignored. ...
Look at the compile notes:
http://tinycorelinux.net/12.x/x86/release/src/busybox/compile_busybox
It uses CC and CXX instead of CFLAGS and CXXFLAGS.
-
@curaga, @rich
Let busybox doing a link /bin/bash to ash breaks the bash.tcz, it should not be allowed.
In attachment the new proposed configuration for a single file busybox.
-
@Rich
I did it before and it did not work either with CC and CXX.
I do again, and it does not work. Both 1.33.0 and 1.331.
-
@Rich
I did it before and it did not work either with CC and CXX.
I do again, and it does not work. Both 1.33.0 and 1.331.
I compile under Ubuntu, probably this is the main reason of the size difference: linking libraries.
Changing the compiling options, I reach 1.1 MiB of size.
So I think 624 KiB is the minimum on Ubuntu.
-
Hi Roberto A. Foglietta
I did it before and it did not work either with CC and CXX. ...
I did a little poking around in the tarball.
Try this:
make menuconfig
Hit Enter on the Settings menu entry.
Scroll down to Additional CFLAGS and hit Enter.
Type in the additional flags you want and hit Enter.
Proceed with your normal build and see if it took the extra flags.
-
The SUID separation is a security matter. If an adversary manages to write to that conf file, or the conf file logic is buggy -> havoc.
It also avoids some bug, which I do not remember the details of. You will have to search the forum if you want to know more about that.
-
@curaga
Security? We are speaking about a system that by default allows sudo -s without password! ;)
About bugs, I did not find anything searching in the forum with "SUID separation" or "busybox.conf"
Possibly, it might be the right time to rethink about it?
-
You are correct that we have sudo, but having sudo as a known decision does not mean other things need to be left open.
No, the bug was serious, breaking many scripts.
-
No, the bug was serious, breaking many scripts.
The TinyCore Editor produce a single file busybox, I will test it. You might give it a try, also.
-
Hi Roberto A. Foglietta
... I wish to receive a suggestion to use -Os because I tried to add to CFLAGS but it is ignored. ...
Did you try adding -Os using the method I described here:
http://forum.tinycorelinux.net/index.php/topic,25191.msg160770.html#msg160770
-
Hi Roberto A. Foglietta
... I wish to receive a suggestion to use -Os because I tried to add to CFLAGS but it is ignored. ...
Did you try adding -Os using the method I described here:
http://forum.tinycorelinux.net/index.php/topic,25191.msg160770.html#msg160770
Yes but I did not manage to get below 624 kb with my configuration (which is busybox + busybox.suid together)
http://forum.tinycorelinux.net/index.php/topic,25191.msg160768.html#msg160768
The possible explanation and results are reported in the post above.
What do you think about my patches: trap ERR + global $LINENO?
-
Hi Roberto A. Foglietta
... What do you think about my patches: trap ERR + global $LINENO?
At 14000+ lines in ash.c , that' a lot to take in. I don't fully understand everything that's going on in ash.c, so I'm
not in much of a position to comment on your patches. I did notice you were fighting some recursion issues, which
tends to make life more interesting. ::)
-
I did notice you were fighting some recursion issues, which tends to make life more interesting. ::)
trap "function_that_can_fail()" ERR
As you can see, if the function called by the trap will fail the trap starts again. So recursion is not allowed.
What about trap in trap? It might happen: if the exit handler fails or the error handle exit the other trap starts.
Quite interesting job...
I have developed 5 patches that let me use the same syntax both in bash and in ash to manage the errors.
No dirty tricks anymore! :-)
I hope you will apply. Obviously, I submitted to busybox m-list, also.
-
Hi Roberto A. Foglietta
... I did not manage to get below 624 kb with my configuration ...
There may be a couple of other ways to reduce size:
1. Use sstrip instead of strip.
2. Set Additional LDFLAGS in make menuconfig.
I did a small writeup on specifying which linker script the linker uses (LDFLAGS) and the impact on executable size:
http://forum.tinycorelinux.net/index.php/topic,23623.0.html
-
Hi Roberto A. Foglietta
... I did not manage to get below 624 kb with my configuration ...
There may be a couple of other ways to reduce size:
1. Use sstrip instead of strip.
2. Set Additional LDFLAGS in make menuconfig.
1. sstrip reduce the size by 3KB: 624KB -> 621KB
2. I have just one linker script available on ubuntu (for each architecture)
-
Hi Roberto A. Foglietta
You could try copying /usr/local/lib/ldscripts/elf_i386.xbn and /usr/local/lib/ldscripts/elf_x86_64.xbn from Tinycore. They
are provided by binutils.tcz.
-
Hi Roberto A. Foglietta
You could try copying /usr/local/lib/ldscripts/elf_i386.xbn and /usr/local/lib/ldscripts/elf_x86_64.xbn from Tinycore. They
are provided by binutils.tcz.
TinyCore Editor version 0.4.4 runs in TinyCore [1].
So, I can compile busybox directly into TC.
Suggested & patched single file busybox: 580 KB
Much lesser than original busybox+busybox.suid.
Thank you,
-R
[1] https://github.com/robang74/tinycore-editor/archive/refs/tags/v0.4.4.tar.gz
Choose "develop" in tinycore/tinycore.conf and follow the quick start in README.txt
-
Hi Roberto A. Foglietta
... Thank you
You are welcome. Using the other linker script shaved off 40K, very nice.
-
These setting in busybox config
CONFIG_FEATURE_LESS_RAW=y
CONFIG_FEATURE_LESS_ENV=y
are useful to display colors when using git. the size increase is negible
-
These setting in busybox config
CONFIG_FEATURE_LESS_RAW=y
CONFIG_FEATURE_LESS_ENV=y
are useful to display colors when using git. the size increase is negible
or add less.tcz to git dependencies. Thank you, R.
-
BB less lacks some other features I commonly use with git. However it's an optional thing, you can configure your git less options.
-
you can configure your git less options.
Or you can add less.tgz to git dependencies, it only 74Kb. ;)
-
That is not the TC philosophy.
-
You are correct that we have sudo, but having sudo as a known decision does not mean other things need to be left open.
No, the bug was serious, breaking many scripts.
I did an extensive search on the forum about the use of busybox.suid and I found this, for example:
http://forum.tinycorelinux.net/index.php/topic,24512.msg155587.html#msg155587
It is just an example but it is fine for a general consideration: existing script might call busybo.suid included those are embedded into TCZ extensions. This makes the single busybox file not viable, at first glance. To address this problem, I have created a script named busybox.suid that redirect to these calls to busybox. So the system is not aware that everything has been aggregate into one single executable.
About security: you are not going to remove sudo, IMHO. So, the busybox single file do not add insecurity to the current configuration. Moreover, busybox is open source and its code is deeply checked. So, it can be trusted that it drops suid in a safe way.
Then, the only remaining issue is about violation against /etc/busybox.conf. This file is included into rootfs.gz so its initial permissions are safely/correctly set. This means that ownership/permission/content will be reset at any boot. However, the user using sudo might inadvertently changed the permissions/ownership but these changes will not last and we cannot defend the system against the users especially if they manage it by a passwordless sudo.
So, at the end of the day the only remaining security concern is about sudo not busybox.
Soon, Tinycore Editor will be ready also for x86 32bit - by now it is ready for x86 64bit. I suggest to give to it a try, loading an Xserver and doing some common stuff to check if any problem will arise. I suggest to use the v0.4.9 in such a way, we will have a reference point to check each others any kind of issue.
https://github.com/robang74/tinycore-editor/archive/refs/tags/v0.4.9.tar.gz
I also suggest to use meta-packages: after the first ISO/USB image has been produced do
cd tinycore
sudo ./tczmetamerge.sh
cd ..
./make.sh iso (or image)
In this way and since the tcz/*-meta.tcz* will be removed, the ISO/USB image produced will use meta-package which aggregate the TCZ in four onion rings: sshonly, usbkey, develop, devtools.
Thank you,
-R