gronod/lfs
1
0
Fork 0
mirror of https://git.linuxfromscratch.org/lfs.git synced 2025-01-31 11:21:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'trunk' of git.linuxfromscratch.org:lfs into trunk

Browse Source
This commit is contained in:
Bruce Dubbs 2022-12-01 17:41:14 -06:00
commit 38311c3ea3
4 changed files with 64 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
chapter04/creatingminlayout.xml
View File

@ -8,7 +8,7 @@
<sect1 id="ch-tools-creatingminlayout">
<?dbhtml filename="creatingminlayout.html"?>
<title>Creating a limited directory layout in LFS filesystem</title>
<title>Creating a Limited Directory Layout in the LFS Filesystem</title>
<para>In this section, we begin populating the LFS filesystem with the
pieces that will constitute the final Linux system. The first step is to
@ -39,4 +39,16 @@ esac</userinput></screen>
<screen><userinput>mkdir -pv $LFS/tools</userinput></screen>
<note>
<para>
The LFS editors have deliberately decided not to use a
<filename class="directory">/usr/lib64</filename> directory. Several
steps are taken to be sure the toolchain will not use it. If for any
reason this directory appears (either because you made an error in
following the instructions, or because you installed a binary package that
created it after finishing LFS), it may break your system.
You should always be sure this directory does not exist.
</para>
</note>
</sect1>

11
chapter07/creatingdirs.xml
View File

@ -68,6 +68,17 @@ install -dv -m 1777 /tmp /var/tmp</userinput></screen>
directories that are really necessary. However, feel free to create more
directories, if you wish. </para>
<warning>
<para>
The FHS does not mandate the existence of the directory
<filename class="directory">/usr/lib64</filename>, and the LFS editors
have decided not to use it. For the instructions in LFS and BLFS to work correctly,
it is imperative that this directory be non-existent. From time to time you should
verify that it does not exist, because it is easy to create it
inadvertently, and this will probably break your system.
</para>
</warning>
</sect2>
</sect1>

70
chapter08/gcc.xml
View File

@ -80,8 +80,8 @@ cd build</userinput></screen>
--disable-bootstrap \
--with-system-zlib</userinput></screen>
<para>Note that for other programming languages there are some prerequisites that
are not yet available. See the
<para>GCC supports seven different computer languages, but the
prerequisites for most of them have not yet been installed. See the
<ulink url="&blfs-book;general/gcc.html">BLFS Book GCC page</ulink>
for instructions on how to build all of GCC's supported languages.</para>
@ -91,8 +91,8 @@ cd build</userinput></screen>
<varlistentry>
<term><parameter>LD=ld</parameter></term>
<listitem>
<para>This parameter makes the configure script use the ld installed
by the binutils built earlier in this chapter, rather than
<para>This parameter makes the configure script use the ld program installed
by the Binutils package built earlier in this chapter, rather than
the cross-built version which would otherwise be used.</para>
</listitem>
</varlistentry>
@ -101,7 +101,7 @@ cd build</userinput></screen>
<term><parameter>--with-system-zlib</parameter></term>
<listitem>
<para>This switch tells GCC to link to the system installed copy of
the zlib library, rather than its own internal copy.</para>
the Zlib library, rather than its own internal copy.</para>
</listitem>
</varlistentry>
</variablelist>
@ -109,21 +109,21 @@ cd build</userinput></screen>
<note>
<anchor id="pie-ssp-info" xreflabel="note on PIE and SSP"/>
<para>
PIE (position-independent executable) is a technique to produce
PIE (position-independent executables) are
binary programs that can be loaded anywhere in memory. Without PIE,
the security feature named ASLR (Address Space Layout Randomization)
can be applied for the shared libraries, but not the executable
itself. Enabling PIE allows ASLR for the executables in addition to
can be applied for the shared libraries, but not for the executables
themselves. Enabling PIE allows ASLR for the executables in addition to
the shared libraries, and mitigates some attacks based on fixed
addresses of sensitive code or data in the executables.
</para>
<para>
SSP (Stack Smashing Protection) is a technique to ensure
that the parameter stack is not corrupted. Stack corruption can
for example alter the return address of a subroutine,
which would allow transferring control to some dangerous code
that the parameter stack is not corrupted. Stack corruption can,
for example, alter the return address of a subroutine,
thus transferring control to some dangerous code
(existing in the program or shared libraries, or injected by the
attacker somehow) instead of the original one.
attacker somehow).
</para>
</note>
@ -133,10 +133,10 @@ cd build</userinput></screen>
<important>
<para>In this section, the test suite for GCC is considered
important, but it takes a long time. First time builders are
encouraged to not skip it. The time to run the tests can be
reduced significantly by adding -jx to the make command below
where x is the number of cores on your system.</para>
important, but it takes a long time. First-time builders are
encouraged to run the test suite. The time to run the tests can be
reduced significantly by adding -jx to the <command>make -k check</command> command below,
where x is the number of CPU cores on your system.</para>
</important>
<para>One set of tests in the GCC test suite is known to exhaust the default
@ -149,23 +149,23 @@ cd build</userinput></screen>
<screen><userinput remap="test">chown -Rv tester .
su tester -c "PATH=$PATH make -k check"</userinput></screen>
<para>To receive a summary of the test suite results, run:</para>
<para>To extract a summary of the test suite results, run:</para>
<screen><userinput remap="test">../contrib/test_summary</userinput></screen>
<para>For only the summaries, pipe the output through
<para>To filter out only the summaries, pipe the output through
<userinput>grep -A7 Summ</userinput>.</para>
<para>Results can be compared with those located at <ulink
url="&test-results;"/> and
<ulink url="https://gcc.gnu.org/ml/gcc-testresults/"/>.</para>
<para>In gcc, eleven tests, in the i386 test suite are known to FAIL.
<para>Eleven tests in the i386 test suite for the gcc compiler are known to FAIL.
It's because the test files do not account for the
<parameter>--enable-default-pie</parameter> option.</para>
<para>In g++, four tests related to PR100400 are known to be reported
as both XPASS and FAIL. It's because the test file for this known issue
<para>Four tests related to PR100400 may be reported
as both XPASS and FAIL when testing the g++ compiler; the test file
is not well written.</para>
<para>A few unexpected failures cannot always be avoided. The GCC developers
@ -187,8 +187,8 @@ su tester -c "PATH=$PATH make -k check"</userinput></screen>
<screen><userinput remap="install">make install</userinput></screen>
<para>The GCC build directory is owned by <systemitem class="username">
tester</systemitem> now and the ownership of the installed header
directory (and its content) will be incorrect. Change the ownership to
tester</systemitem> now, and the ownership of the installed header
directory (and its content) is incorrect. Change the ownership to the
<systemitem class="username">root</systemitem> user and group:</para>
<screen><userinput remap="install">chown -v -R root:root \
@ -225,7 +225,7 @@ readelf -l a.out | grep ': /lib'</userinput></screen>
<screen><computeroutput>[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]</computeroutput></screen>
<para>Now make sure that we're setup to use the correct start files:</para>
<para>Now make sure that we're set up to use the correct start files:</para>
<screen><userinput>grep -E -o '/usr/lib.*/S?crt[1in].*succeeded' dummy.log</userinput></screen>
@ -274,7 +274,7 @@ SEARCH_DIR("/usr/local/lib")
SEARCH_DIR("/lib")
SEARCH_DIR("/usr/lib");</computeroutput></screen>
<para>A 32-bit system may see a few different directories. For example, here
<para>A 32-bit system may use a few other directories. For example, here
is the output from an i686 machine:</para>
<screen><computeroutput>SEARCH_DIR("/usr/i686-pc-linux-gnu/lib32")
@ -307,7 +307,7 @@ SEARCH_DIR("/usr/lib");</computeroutput></screen>
at all, then something is seriously wrong. Investigate and retrace the
steps to find out where the problem is and correct it. <!--The most likely
reason is that something went wrong with the specs file adjustment.--> Any
issues will need to be resolved before continuing with the process.</para>
issues should be resolved before continuing with the process.</para>
<para>Once everything is working correctly, clean up the test files:</para>
@ -374,7 +374,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<term><command>cpp</command></term>
<listitem>
<para>The C preprocessor; it is used by the compiler to expand the
#include, #define, and similar statements in the source files</para>
#include, #define, and similar directives in the source files</para>
<indexterm zone="ch-system-gcc cpp">
<primary sortas="b-cpp">cpp</primary>
</indexterm>
@ -407,7 +407,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<para>A wrapper around <command>ar</command> that adds a
plugin to the command line. This program is only used
to add "link time optimization" and is not useful with the
default build options</para>
default build options.</para>
<indexterm zone="ch-system-gcc gcc-ar">
<primary sortas="b-gcc-ar">gc-ar</primary>
</indexterm>
@ -420,7 +420,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<para>A wrapper around <command>nm</command> that adds a
plugin to the command line. This program is only used
to add "link time optimization" and is not useful with the
default build options</para>
default build options.</para>
<indexterm zone="ch-system-gcc gcc-nm">
<primary sortas="b-gcc-nm">gc-nm</primary>
</indexterm>
@ -433,7 +433,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<para>A wrapper around <command>ranlib</command> that adds a
plugin to the command line. This program is only used
to add "link time optimization" and is not useful with the
default build options</para>
default build options.</para>
<indexterm zone="ch-system-gcc gcc-ranlib">
<primary sortas="b-gcc-ranlib">gc-ranlib</primary>
</indexterm>
@ -444,7 +444,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<term><command>gcov</command></term>
<listitem>
<para>A coverage testing tool; it is used to analyze programs to
determine where optimizations will have the most effect</para>
determine where optimizations will have the greatest effect</para>
<indexterm zone="ch-system-gcc gcov">
<primary sortas="b-gcov">gcov</primary>
</indexterm>
@ -525,7 +525,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<varlistentry id="libgcov">
<term><filename class="libraryfile">libgcov</filename></term>
<listitem>
<para>This library is linked in to a program when GCC is instructed
<para>This library is linked into a program when GCC is instructed
to enable profiling</para>
<indexterm zone="ch-system-gcc libgcov">
<primary sortas="c-libgcov">libgcov</primary>
@ -567,7 +567,7 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<varlistentry id="liblto_plugin">
<term><filename class="libraryfile">liblto_plugin</filename></term>
<listitem>
<para>GCC's LTO plugin allows binutils to process object files
<para>GCC's LTO plugin allows Binutils to process object files
produced by GCC with LTO enabled</para>
<indexterm zone="ch-system-gcc liblto_plugin">
<primary sortas="c-liblto_plugin">liblto_plugin</primary>
@ -589,8 +589,8 @@ mv -v /usr/lib/*gdb.py /usr/share/gdb/auto-load/usr/lib</userinput></screen>
<term><filename class="libraryfile">libssp</filename></term>
<listitem>
<para>Contains routines supporting GCC's stack-smashing protection
functionality. Normally it's unused because glibc also provides
those routines</para>
functionality. Normally it is not used, because Glibc also provides
those routines.</para>
<indexterm zone="ch-system-gcc libssp">
<primary sortas="c-libssp">libssp</primary>
</indexterm>

7
chapter08/shadow.xml
View File

@ -62,7 +62,9 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s
<para id="shadow-login_defs">Instead of using the default
<emphasis>crypt</emphasis> method, use the more secure
<emphasis>SHA-512</emphasis> method of password encryption, which also
allows passwords longer than 8 characters. It is also necessary to change
allows passwords longer than 8 characters. In addition, set the number of
rounds to 500,000 instead of the default 5000, which is much too low to
prevent brute force password attacks. It is also necessary to change
the obsolete <filename class="directory">/var/spool/mail</filename> location
for user mailboxes that Shadow uses by default to the <filename
class="directory">/var/mail</filename> location used currently. And,
@ -80,6 +82,7 @@ find man -name Makefile.in -exec sed -i 's/passwd\.5 / /' {} \;</userinput></s
</note>
<screen><userinput remap="pre">sed -e 's:#ENCRYPT_METHOD DES:ENCRYPT_METHOD SHA512:' \
-e 's@#\(SHA_CRYPT_..._ROUNDS 5000\)@\100@' \
-e 's:/var/spool/mail:/var/mail:' \
-e '/PATH=/{s@/sbin:@@;s@/bin:@@}' \
-i etc/login.defs</userinput></screen>
@ -203,7 +206,7 @@ useradd -D --gid 999</userinput></screen>
next available number. Note also that if you don't have a group with
an ID equal to this number on your system, then the first time you use
<command>useradd</command> without the <parameter>-g</parameter>
parameter, an error message will be generated &mdash; <computeroutput>useradd:
parameter, an error message will be generated&mdash;<computeroutput>useradd:
unknown GID 999</computeroutput>,
even though the account has been created correctly. That is why we
created the group <systemitem class="groupname">users</systemitem>