View previous topic :: View next topic |
Author |
Message |
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 7:12 pm Post subject: |
|
|
sys-apps/shadow also provides 'su' and this does not pull in sys-libs/pam as a dependency.
But you need to add '-su' USE flag sys-apps/util-linux beforehand and reinstall it before you add 'su' use flag for sys-apps/shadow.
Regarding D-Bus removal, the best solution I found so far is to patch app-accessibility/at-spi2-core sources to completely remove any reference to sys-apps/dbus files.
Running main system without sys-apps/dbus for about two weeks now, seems okay.
I also tried to completely remove Accessibility Toolkit (ATK) from both x11-libs/gtk+:2 and x11-libs/gtk+:3, patching all header and C-files that reference ATK.
Unfortunately, this approach has failed. Maybe one day I will try again, maybe using less aggressive ATK removal would help.
Also installed sys-fs/static-dev instead of udev, but enabled devtmpfs in kernel and mounting devtmpfs to /dev at boot.
This way I do not have to maintain/create device nodes. For a desktop system, this is acceptable compromise. Not having udev is important to me, but static /dev is not. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Tue Feb 28, 2023 7:53 pm Post subject: |
|
|
ukky wrote: | sys-apps/shadow also provides 'su' and this does not pull in sys-libs/pam as a dependency.
But you need to add '-su' USE flag sys-apps/util-linux beforehand and reinstall it before you add 'su' use flag for sys-apps/shadow.
Regarding D-Bus removal, the best solution I found so far is to patch app-accessibility/at-spi2-core sources to completely remove any reference to sys-apps/dbus files.
Running main system without sys-apps/dbus for about two weeks now, seems okay.
I also tried to completely remove Accessibility Toolkit (ATK) from both x11-libs/gtk+:2 and x11-libs/gtk+:3, patching all header and C-files that reference ATK.
Unfortunately, this approach has failed. Maybe one day I will try again, maybe using less aggressive ATK removal would help.
Also installed sys-fs/static-dev instead of udev, but enabled devtmpfs in kernel and mounting devtmpfs to /dev at boot.
This way I do not have to maintain/create device nodes. For a desktop system, this is acceptable compromise. Not having udev is important to me, but static /dev is not. |
You don't need to manage /dev nodes too much. You just have to create them once and you are done with them. Are you using an genkernel for your initramfs? If so, problems may arise from there. Just got some help about booting without an initramfs in https://forums.gentoo.org/viewtopic-t-1161826-highlight-.html. _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54421 Location: 56N 3W
|
Posted: Tue Feb 28, 2023 8:14 pm Post subject: |
|
|
ukky,
With devtmpfs and no udev, the /dev/nodes are created but udev does not fix permissions, grouprs and ownership.
You need to do that every boot. udev created symlinks will be missing too.
static-dev is just that. It lives in /dev on the root filesystem and is err ... static.
You only add nodes once in a while so the maintenance burden is minimal.
Oh and /dev/snd/ gets mangled from time to time. It correlates with updates but I don't know which packages does it yet. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 8:19 pm Post subject: |
|
|
stefan11111 wrote: | You don't need to manage /dev nodes too much. You just have to create them once and you are done with them. |
I totally agree with you. Actually, after removing udev, my system was running for a day or two with static, non-mounted /dev, with devtmpfs disabled in kernel.
Removing dbus from system has higher value to me, so I have spent time on that rather then fine-tuning /dev nodes.
It will be easy to switch from devtmpfs to static /dev at some point in the future.
stefan11111 wrote: | Are you using an genkernel for your initramfs? |
No, I use 'make menuconfig' and 'make' to build kernel. I understand the impact of having static /dev in initramfs. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Tue Feb 28, 2023 8:31 pm Post subject: |
|
|
ukky wrote: |
Removing dbus from system has higher value to me, so I have spent time on that rather then fine-tuning /dev nodes.
It will be easy to switch from devtmpfs to static /dev at some point in the future. |
And have you managed to remove it? If not, What do you have problems with?
Seagoon,
Do you use something on top of alsa? _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 8:38 pm Post subject: |
|
|
Hi NeddySeagoon,
I bow in your presence.
NeddySeagoon wrote: | With devtmpfs and no udev, the /dev/nodes are created but udev does not fix permissions, grouprs and ownership.
You need to do that every boot. udev created symlinks will be missing too. |
Yes, I realized that hard way upon first reboot after udev was unmerged, devtmpfs removed, and skip_mount_dev="YES" in /etc/conf.d/devfs added.
But those issues are now fixed (mostly) in a small script created with extension '.start' in /etc/local.d/. Script runs upon every reboot, at system start.
Sound is working, mic is working, non-root Xorg is working.
Also kernel modules do not auto-load when udev is removed, but that is fixed via /etc/conf.d/modules. |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 8:56 pm Post subject: |
|
|
stefan11111 wrote: | And have you managed to remove it? |
Yes, my main system is running without D-Bus now (sys-apps/dbus).
Though, I have app-accessibility/at-spi2-core installed, but it is heavily modified and does not need D-Bus header files to compile, nor D-Bus library.
libatk-bridge-2.0.so.0.0.0 is installed, but it is a dummy library and has no depencency on libdbus-1.so.
Also, at-spi-bus-launcher is not installed.
stefan11111 wrote: | If not, What do you have problems with? |
So far, no issues detected running system without D-Bus.
But I had troubles de-coupling ATK and GTK. Didn't work at first attempt. I was able to build GTK without ATK, but Firefox (uses gtk3) doesn't start.
stracing Firefox didn't help me to resolve runtime issues. Well, maybe one day I will do second attempt. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Tue Feb 28, 2023 8:58 pm Post subject: |
|
|
ukky wrote: | stefan11111 wrote: | And have you managed to remove it? |
Yes, my main system is running without D-Bus now (sys-apps/dbus).
Though, I have app-accessibility/at-spi2-core installed, but it is heavily modified and does not need D-Bus header files to compile, nor D-Bus library.
libatk-bridge-2.0.so.0.0.0 is installed, but it is a dummy library and has no depencency on libdbus-1.so.
Also, at-spi-bus-launcher is not installed.
stefan11111 wrote: | If not, What do you have problems with? |
So far, no issues detected running system without D-Bus.
But I had troubles de-coupling ATK and GTK. Didn't work at first attempt. I was able to build GTK without ATK, but Firefox (uses gtk3) doesn't start.
stracing Firefox didn't help me to resolve runtime issues. Well, maybe one day I will do second attempt. |
Did you publish the patch/ebuild somewhere? _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54421 Location: 56N 3W
|
Posted: Tue Feb 28, 2023 9:10 pm Post subject: |
|
|
stefan11111,
I just use alsa. Its not problem free yet. For good sound output, with no stuttering, I need to keep the load average over 40. :)
That's nothing to do with static dev though.
Until alsa works on its own, nothing else can as everything uses alsa at the bottom, well except OSS.
I have dbus installed but not started. VirtualBox wants it.
I should really give up VirtualBox but its easier than QEMU for a quick and dirty throw away Virtual Machine. For long term KVMs its all QEMU. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 9:25 pm Post subject: |
|
|
stefan11111 wrote: | Did you publish the patch/ebuild somewhere? |
No, it is not shared yet. The patch is too big to call it a 'patch'. There are 70 files modified, plus ebuild. The diff file is 169KiB.
But I will share it with whoever wants to test it. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Tue Feb 28, 2023 9:44 pm Post subject: |
|
|
ukky wrote: | stefan11111 wrote: | Did you publish the patch/ebuild somewhere? |
No, it is not shared yet. The patch is too big to call it a 'patch'. There are 70 files modified, plus ebuild. The diff file is 169KiB.
But I will share it with whoever wants to test it. |
I am. _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 9:50 pm Post subject: |
|
|
I have to read forum rules on how to post attachments/links. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54421 Location: 56N 3W
|
Posted: Tue Feb 28, 2023 9:52 pm Post subject: |
|
|
ukky,
Its time to meet github or some other public repo host.
The post size limit is 64k, the post is silently truncated there.
It could go to a pastbin, but that has a limited life. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Tue Feb 28, 2023 10:34 pm Post subject: |
|
|
Here is the patch: https://fileport.io/RncUTzrnnDa6
There are two files: at-spi2-core-2.46.0.ebuild and a patch.
Patch should be placed into /etc/portage/patches/app-accessibility/at-spi2-core-2.46.0/
ebuild is slightly modified to enable 'dbus' USE flag. ebuild should be placed in local portage overlay.
With '-dbus' use flag for =app-accessibility/at-spi2-core-2.46.0, package will be built with no D-Bus dependency. |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Tue Feb 28, 2023 11:12 pm Post subject: |
|
|
For my part, I stayed with the old sys-apps/shadow-4.11.1, that if backed up in the local tree:
Code: | my-user@pc-gentoo ~ $ eix -Ic sys-apps/shadow
[I] sys-apps/shadow (4.11.1(0/4)[1]@01/07/22): Utilities to deal with user accounts
[1] "repo_local" /usr/local/portage |
The incredible thing is how quickly they changed their minds about what they have written about pam...(DANGEROUS to arbitrarily flip)
Code: | my-user@pc-gentoo ~ $ equery uses sys-apps/shadow
- - pam : Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
If it is DANGEROUS "which, if true" why is it forced to use it?
In LFS, "su" is still used from shadow:
https://www.linuxfromscratch.org/lfs/view/development/chapter08/shadow.html
For those who were left without a menu in Libreoffice because they did not have dbus active, the solution is to put the following in ~/.bashrc Code: |
export SAL_USE_VCLPLUGIN="gen" |
Regards. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Tue Feb 28, 2023 11:15 pm Post subject: |
|
|
That message is warning you that flipping the value arbitrarily is dangerous, because if your system is using it, and you disable PAM, you may create a significant mess. PAM itself is not inherently dangerous. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Wed Mar 01, 2023 12:09 am Post subject: |
|
|
ukky wrote: | Here is the patch: https://fileport.io/RncUTzrnnDa6
There are two files: at-spi2-core-2.46.0.ebuild and a patch.
Patch should be placed into /etc/portage/patches/app-accessibility/at-spi2-core-2.46.0/
ebuild is slightly modified to enable 'dbus' USE flag. ebuild should be placed in local portage overlay.
With '-dbus' use flag for =app-accessibility/at-spi2-core-2.46.0, package will be built with no D-Bus dependency. |
Thanks. It appears that you can only get firefox/librewolf to work without dbus(why does it even need it at all?) through hacks.
The patch appears to be from a git diff. Do you know from which repo? _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Wed Mar 01, 2023 12:52 am Post subject: |
|
|
@Hu
Precisely, it will not be the user who is going to change it... how do you protect yourself from others touching it momentarily "until the attacker achieves what he wants" and then revert it back to how he was? with app-armor? selinux? ...no thanks, this is where you don't want to solve a problem that doesn't exist creating several more problems that you didn't have... less is more, at least from my point of view.
Regards. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Wed Mar 01, 2023 1:32 am Post subject: |
|
|
It will be the root user on the system in question who changes it. An attacker who can do that already has complete control. The warning is not about securing a system from an attacker. The warning is trying to discourage users from breaking their system so badly that they need to come here and get our help to repair it. |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Wed Mar 01, 2023 1:34 am Post subject: |
|
|
stefan11111 wrote: | It appears that you can only get firefox/librewolf to work without dbus(why does it even need it at all?) through hacks. |
This is partially true. Even though Firefox has its own 'dbus' USE flag, you cannot compile Firefox without dbus installed, even with '-dbus' USE flag applied.
The reason is /usr/lib64/pkgconfig/atk.pc file. At configuration stage Firefox will bail out due to atk.pc requirements not met (missing dbus package, probably /usr/lib64/pkgconfig/dbus-1.pc).
stefan11111 wrote: | The patch appears to be from a git diff. Do you know from which repo? |
I created fresh git repository locally from clean unpacked app-accessibility/at-spi2-core-2.46.0. |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Wed Mar 01, 2023 1:51 am Post subject: |
|
|
Quote: | @Hu The warning is trying to discourage users from breaking their system so badly that they need to come here and get our help to repair it. |
That would never happen if you don't have pam installed, if the door isn't there, there are no locks or keys, pam increases the attack surface, that's undeniable.
Regards. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21856
|
Posted: Wed Mar 01, 2023 4:00 am Post subject: |
|
|
Almost all packages theoretically increase attack surface by their presence, and therefore should not be installed unnecessarily. The extent to which they increase attack surface, and the value they provide in return, vary widely. The maintainer's DANGEROUS warning is about the administrator recklessly breaking the system, not about attack surface. |
|
Back to top |
|
|
colo-des Tux's lil' helper
Joined: 20 May 2011 Posts: 97
|
Posted: Wed Mar 01, 2023 5:31 am Post subject: |
|
|
Hu wrote: | Almost all packages theoretically increase attack surface by their presence, and therefore should not be installed unnecessarily. The extent to which they increase attack surface, and the value they provide in return, vary widely. The maintainer's DANGEROUS warning is about the administrator recklessly breaking the system, not about attack surface. |
I agree with your statement about the attack surface, but making system packages exclusively depend on pam and having no options to make them work without
pam...that should never happen.
Regards. |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Wed Mar 01, 2023 7:55 am Post subject: |
|
|
ukky wrote: | This is partially true. Even though Firefox has its own 'dbus' USE flag, you cannot compile Firefox without dbus installed, even with '-dbus' USE flag applied.
The reason is /usr/lib64/pkgconfig/atk.pc file. At configuration stage Firefox will bail out due to atk.pc requirements not met (missing dbus package, probably /usr/lib64/pkgconfig/dbus-1.pc). |
Have firefox/librewolf's maintainers been notified of this? _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
stefan11111 l33t
Joined: 29 Jan 2023 Posts: 922 Location: Romania
|
Posted: Wed Mar 01, 2023 10:01 am Post subject: |
|
|
Code: | $ eix-installed -a | grep bus
dev-util/gdbus-codegen-2.74.6
|
Has anyone gotten rid of this too? _________________ My overlay: https://github.com/stefan11111/stefan_overlay
INSTALL_MASK="/etc/systemd /lib/systemd /usr/lib/systemd /usr/lib/modules-load.d *udev* /usr/lib/tmpfiles.d *tmpfiles* /var/lib/dbus /usr/bin/gdbus /lib/udev" |
|
Back to top |
|
|
|