Official Gitbrew Forums: GitFixed » [HOWTO] Install Debian packages with hardened toolchain

Home » General » GitFixed » [HOWTO] Install Debian packages with hardened toolchain (How to install packages on a Debian system by compiling them from source with the hardened toolchain)

Show: Today's Messages :: Show Polls :: Message Navigator

[HOWTO] Install Debian packages with hardened toolchain [message #48]

Sat, 24 December 2011 01:35

iadnah
Messages: 25
Registered: July 2011

Gitbrew Noob
GPG/PGP Key
Administrator

Intro
This is the basic gist of how to install Debian packages (should also work on recent versions of Ubuntu) using the hardened toolchain.

Why use it?
Binaries built with the hardened toolchain are generally less susceptible to some kinds of exploits, particularly memory-related ones. This can sometimes protect against successful exploitation of unknown ("0day") exploits.

When to use it
It's not a bad idea to install sensitive software packages this way, such as IRC clients (like irssi or xchat), DNS servers (bind), OpenSSH, etc. Generally, it's not a bad idea to use this for any piece of software which accepts arbitrary input from the network.

When not to use it
Some programs will fail to compile, crash, or exhibit abnormal behavior when compiled with the hardened toolchain. You should test a piece of software installed this way before relying on it to work like you're used to. Generally speaking, if the program compiles and installs without any errors you should be fine, but there are exceptions.

Getting started: You have to install this stuff first
Before you can install packages with hardening enabled you need to install the Debian hardening-wrapper and hardening-includes, and you must have the necessary packages installed to compile software.

Install hardening-wrapper and hardening-includes

sudo apt-get install hardening-wrapper hardening-includes

Install packages necessary for compiling

sudo apt-get install build-essential fakeroot dpkg-dev

Overview: Building a Debian package from source (long way)

mkdir build
cd build
apt-get source package_name_here
sudo apt-get build-dep package_name_here
cd package_source_directory
export DEB_BUILD_HARDENING=1
dpkg-buildpackage -rfakeroot -b

The above outline will download all of the source files used to build the normal Debian package. These are saved in the build directory and extracted into a folder with the same name as the package you are trying to install (see the irssi example below). The source code is then compiled with the hardening options. Assuming your package compiles correctly you'll have one or more ".deb" files in build/ named after your package. You can install these with dpkg -i whatever.deb.

Installing (and keeping) your hardened packages
Once you have successfully compiled your package you will find one or more ".deb" files in build/. These are Debian packages you (should) be able to copy to any machine (of the same architecture and Debian version) and install using dpkg from the command line or one of several graphical programs which can handle .deb files.

Installing from the command line works like this:

sudo dpkg -i whatever.deb

Multiple .deb files
You will often end up with more than one .deb package after building a package this way. You should see a package named something like packagename_version_amd64.deb (the amd64 part will be different depending on your architecture), but you will sometimes see a package named like packagename-dev_version_amd64.deb (emphasis mine). Packages with the "-dev" in the name include files you generally only need when writing software which links against or interfaces with the software provided in the main package. You don't usually need to install these, and shouldn't install them unless you actually need them.

Sometimes (like in the case of bind9) you will end up with a bunch of .deb files which have totally different names than the package you actually just built. These are usually dependencies which need to be installed for the package you have built to work, and you will need to install them as well. You'll know this is the case if you try to install the .deb you've built and it complains about missing dependencies.

Preventing apt from "upgrading" your hardened packages
If you install a package using this method the apt system can (and will) try to replace it the next time you do an upgrade. It will replace it with the stock Debian (or Ubuntu, whatever...) package, which will negate all your hard work.

You can prevent this by marking the package as "held" (you must be root):

sudo su
echo "package-name hold" | dpkg --set-selections

Example:

sudo su
echo "irssi hold" | dpkg --set-selections

Once a package has been marked as "held" the apt system will not automatically replace or upgrade it. When you install updates you will instead see a list of the packages that have been "held back", as well as what versions they would have been upgraded to. Once a package has been marked this way you must upgrade it manually by removing the hold and repeating the build/install steps, which will grab and build the latest sources.

You can remove the hold on a package like this:

sudo su
echo "package-name install" | dpkg --set-selections

Example:

sudo su
echo "irssi install" | dpkg --set-selections

Example: irssi
This is an example of the commands you would run to build and install the IRC client irssi using the hardened toolchain.

mkdir build
cd build
apt-get source irssi
sudo apt-get build-dep irssi

Now, I run ls -l to see what files it downloaded:

iadnah@bastion:~/build$ ls -l
total 1300
drwxr-xr-x 7 iadnah iadnah    4096 Dec 23 19:17 irssi-0.8.15
-rw-r--r-- 1 iadnah iadnah   16029 Dec 17  2010 irssi_0.8.15-2.diff.gz
-rw-r--r-- 1 iadnah iadnah    1476 Dec 17  2010 irssi_0.8.15-2.dsc
-rw-r--r-- 1 iadnah iadnah 1298691 Apr  5  2010 irssi_0.8.15.orig.tar.gz

Now, I change into the source directory and build:

cd irssi-0.8.15/
export DEB_BUILD_HARDENING=1
dpkg-buildpackage -rfakeroot -b

Once that command completes (if you're not familiar with compiling software it can take a surprisingly long time) I look in my build/ directory:

cd ..
ls -l

and this is what I have now:

iadnah@bastion:~/build/irssi-0.8.15$ ls -l ../
total 2796
drwxr-xr-x 8 iadnah iadnah    4096 Dec 23 19:26 irssi-0.8.15
-rw-r--r-- 1 iadnah iadnah    1146 Dec 23 19:26 irssi_0.8.15-2_amd64.changes
-rw-r--r-- 1 iadnah iadnah 1216896 Dec 23 19:26 irssi_0.8.15-2_amd64.deb
-rw-r--r-- 1 iadnah iadnah   16029 Dec 17  2010 irssi_0.8.15-2.diff.gz
-rw-r--r-- 1 iadnah iadnah    1476 Dec 17  2010 irssi_0.8.15-2.dsc
-rw-r--r-- 1 iadnah iadnah 1298691 Apr  5  2010 irssi_0.8.15.orig.tar.gz
-rw-r--r-- 1 iadnah iadnah  294958 Dec 23 19:26 irssi-dev_0.8.15-2_amd64.deb

I don't need the development files for irssi, so I just do this:

sudo dpkg -i irssi_0.8.15-2_amd64.deb

After I am done installing I make a copy of the deb package and then clean out the build directory:

cp irssi_0.8.15-2_amd64.deb /home/iadnah/debian_packages/
rm -Rf ~/build/

Reference Links

http://wiki.debian.org/Hardening - Official Debian wiki page on the hardening features (lots of detailed info)
https://wiki.ubuntu.com/Security/HardeningWrapper - Ubuntu wiki page that glosses over using this on Ubuntu
http://www.cyberciti.biz/faq/rebuilding-ubuntu-debian-linux- binary-package/ - A general guide over installing and rebuilding packages from source on Debian and Ubuntu

Report message to a moderator

Previous Topic:	Edit menus in XFCE4.8
Next Topic:	[HOWTO] Delete all products and categories in Magento

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Wed Jun 19 06:50:10 CEST 2013

Total time taken to generate the page: 0.02250 seconds