Hi, This is one of these passionate threads I enjoy reading because I usually learn something interesting, and I also enjoy people being passionate about stuff. But this time I'm a bit disappointed about the defaults for Fedora. I'm a developer, and I work with production-like systems (and in some cases production systems) on my day job, so integrity of the system is something very important to me. I was startled when I first read that prelink touches binaries. For I'm too lazy to mount /usr as read-only (actually too lazy to mount it read/write for each yum upgrade), I naively expected binaries would be safe with default settings (assuming no attack). I've run the following commands: $ rpm -V varnish S.5....T. c /etc/varnish/varnish.params $ rpm -V firefox $ rpm -V libreoffice-core prelink: /tmp/#prelink#.TZlaPL: Recorded 92 dependencies, now seeing -1 S.?...... /usr/lib64/libreoffice/program/gengal.bin prelink: /tmp/#prelink#.3AZudQ: Recorded 87 dependencies, now seeing -1 S.?...... /usr/lib64/libreoffice/program/libavmedialo.so prelink: /tmp/#prelink#.9xDUuT: Recorded 16 dependencies, now seeing -1 S.?...... /usr/lib64/libreoffice/program/libbasegfxlo.so [...] Obviously, I'm ok with varnish being touched, I've changed something in the configuration. I'm also relieved that firefox's clean, because I use it heavily on a day-to-day basis. But this is rather disturbing to see prelink on rpm's output. Does it mean that rpm *itself* has been touched by prelink ? This sounds critical to me, how can I know that my rpmdb hasn't been corrupted ? Of course an attacker that would gain root access to the system could probably alter the rpmdb to "hide" what changed on the filesystem, but that's not my point. I've removed the prelink package: $ rpm -V libreoffice-core S.5...... /usr/lib64/libreoffice/program/gengal.bin S.5...... /usr/lib64/libreoffice/program/gnome-open-url.bin S.5...... /usr/lib64/libreoffice/program/libavmedialo.so S.5...... /usr/lib64/libreoffice/program/libbasegfxlo.so S.5...... /usr/lib64/libreoffice/program/libcanvastoolslo.so [...] Now libreoffice still appears to be (differently) tainted, but rpm doesn't output prelink stuff anymore (which isn't less scary). Don't get me wrong, I really enjoy Fedora on my laptops (and before on VMs) but I have a serious trust issue now: - this is part of the distribution *by default* - it is present and already acts at the very first boot AFAIU - removing it doesn't restore the binaries (I didn't expect it would) - apparently it prevents hardened builds in some cases After three reboots, I can't tell the difference between now and before, but to be fair I haven't really paid attention to the start time of the system and applications such as the ones in libreoffice. In my opinion, if there is no perceived latency, it is irrelevant. It all started as a fun thread, with interesting opinions and arguments, but now I have one question: Are there other packages installed by default that would alter my system ? Best Regards, Dridi PS. I'm a total security noob, I'm just aware of basic stuff On Tue, Oct 15, 2013 at 10:35 PM, drago01 <drago01@xxxxxxxxx> wrote: > On Tue, Oct 15, 2013 at 10:27 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> >> >> Am 15.10.2013 22:04, schrieb Florian Weimer: >>> On 10/15/2013 09:10 PM, Chris Adams wrote: >>>> Once upon a time, Jan Kratochvil <jan.kratochvil@xxxxxxxxxx> said: >>>>> It depends, for example in this case prelink saves 33% of time (and battery): >>>>> i=0;time while [ $i -lt 1000 ];do /usr/bin/gnome-open --help &>/dev/null;i=$[$i+1];done >>>> >>>> Do you really run "gnome-open --help" 1000 times per reasonable unit of >>>> time (or ever)? Please stop using bogus comparisons and highly >>>> contrived tests. They do nothing to help your argument. >>> >>> This isn't totally invalid. I assume that some shell scripts with tight loops are the only thing that actually >>> benefits from prelinking today. People write those, unfortunately. >> >> it is - they are *not* loading a lot of dynmaic linked libraries >> >> [harry@srv-rhsoft:~]$ ldd /usr/bin/bash >> linux-vdso.so.1 => (0x00007fffc9764000) >> libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f99b21aa000) >> libdl.so.2 => /lib64/libdl.so.2 (0x00007f99b1fa6000) >> libc.so.6 => /lib64/libc.so.6 (0x00007f99b1be4000) >> /lib64/ld-linux-x86-64.so.2 (0x00007f99b23ee000) > > Yes because shell is a real programming language that does not have to > start tons of other binaries to do useful stuff ... oh wait. > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
