HPUX kernel compile???

Hello,

I have been assigned to perform a security review for a HPUX system
which is in production. One thing I have noticed is that the system has
a C compiler on the system. Since this is not a development system I
suggested that it be removed. The sysadmin mentioned that it is
required to perform kernel compilation, which caught me by surprise. I
come from the Linux camp. (I do love all flavors of Unix). My
understanding is that HPUX is a closed source operating system. Has HP
opened it's source code to open source (like Solaris)? If not, then
what type of kernel code is being compiled by the C compiler? The
sysadmin mentioned that this it is a stripped down compiler.

Thank you in advance for any information.

Regards,
--
Neil Jones
cat @yahoo.com >> castellan-gen

God made men and Colt made them equal.
Linus made Linux and Tux made IT companies equal.

Re: HPUX kernel compile???

> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed. The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)? If not, then
> what type of kernel code is being compiled by the C compiler? The
> sysadmin mentioned that this it is a stripped down compiler.

It's a basic K&R C compiler and it is indeed needed to build a kernel.

I don't know if it compiles anything or not. But I'll bet the linker is
used to add new library modules.

--
Who needs a life when you've got Unix? :-)
Email: john@unixnerd.demon.co.uk, John G.Burns B.Eng, Bonny Scotland
Web : http://www.unixnerd.demon.co.uk - The Ultimate BMW Homepage!
Need Sun or HP Unix kit? http://www.unixnerd.demon.co.uk/unix.html
www.Strathspey.co.uk - Quality Binoculars at a Sensible price

Re: HPUX kernel compile???

Post removed (X-No-Archive: yes)

Re: HPUX kernel compile???

Neil Jones wrote:
> Hello,
>
> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed. The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)?

No.

> If not, then
> what type of kernel code is being compiled by the C compiler?

Very little. HPUX does not "re-compile" a kernel in the same sense
you're used to in Linux. It compiles conf.c (containing driver and
tunable parameter information) and links existing libraries to create a
new kernel. Similar to SCO and other proprietary System V variants.
Patches may contain new libraries which are then linked into a new
kernel during the patch-installation/build process.

See: http://docs.hp.com/en/1219/tuningwp.html

> The
> sysadmin mentioned that this it is a stripped down compiler.

He is correct.

See: http://www.faqs.org/faqs/hp/hpux-faq/

Subject: 6.2.1 Why is the default C compiler brain-dead?
Updated: 04/13/01

The C compiler shipped with HP-UX is intended only to rebuild the kernel
with, not for program development. To get a "real" C compiler, you have
two options:

o buy HP's ANSI C product
o use the GNU C Compiler (gcc), downloadable in binary form from the
Liverpool archive

>
> Thank you in advance for any information.

Out of curiosity, why do you believe that removing a C-compiler from a
UNIX system will make it more secure?

andrew@lod.com

Re: HPUX kernel compile???

In article ,
Neil Jones wrote:

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise.

I haven't used HPUX, but the situation is similar on SGI IRIX:
a stripped-down compiler is squirreled away for kernel building.


Answering the poster who asked how often they expect to rebuild
the kernel: the answer to that on SGI IRIX is "Every time a kernel
patch is released, or a kernel driver package is installed or uninstalled,
or a change is made to one of the kernel device driver tables (e.g.,
forcing a particular speed on a scsi bus), or a change is made to
one of the fundamental system tunables that affect kernel table
memory allocation."

In SGI IRIX, the compiler -could- be removed, but you'd have to put it
back before installing most any of the security upgrades. SGI IRIX
is not open source, but the fundamental parts of it are provided as
object files that are linked together to form the kernel. There are
also important configuration tables in SGI IRIX; see below:



Extracting from SGI IRIX /var/sysgen/master/* :


* Any object which is to be included in a kernel by the self
* configuration boot program must have a corresponding master file which
* contains configuration specifications. The master file name is the
* basename of the object it describes.
*

* There are three sections in a master file: a tabulated ordering of
* flags, phrases and values interpreted by the configuration program and
* used to build device tables and the like, a list of stub routines, and
* a section of (mostly) C code. The first non-blank, non-comment line
* is interpreted for flags, phrases and values. Any other (non-comment)
* lines, up to a line that begins with a dollar sign ('$'), specify stubs.
* All phrases uttered after the line beginning with a dollar sign is
* processed to interpret special characters, then compiled (by the C
* compiler) into the kernel.

Re: HPUX kernel compile???

Andrew wrote:
> Neil Jones wrote:
> > Hello,
> >
> > I have been assigned to perform a security review for a HPUX system
> > which is in production. One thing I have noticed is that the system has
> > a C compiler on the system. Since this is not a development system I
> > suggested that it be removed. The sysadmin mentioned that it is
> > required to perform kernel compilation, which caught me by surprise. I
> > come from the Linux camp. (I do love all flavors of Unix). My
> > understanding is that HPUX is a closed source operating system. Has HP
> > opened it's source code to open source (like Solaris)?
>
> No.
>
> > If not, then
> > what type of kernel code is being compiled by the C compiler?
>
> Very little. HPUX does not "re-compile" a kernel in the same sense
> you're used to in Linux. It compiles conf.c (containing driver and
> tunable parameter information) and links existing libraries to create a
> new kernel. Similar to SCO and other proprietary System V variants.
> Patches may contain new libraries which are then linked into a new
> kernel during the patch-installation/build process.
>
> See: http://docs.hp.com/en/1219/tuningwp.html
>
> > The
> > sysadmin mentioned that this it is a stripped down compiler.
>
> He is correct.
>
> See: http://www.faqs.org/faqs/hp/hpux-faq/
>
> Subject: 6.2.1 Why is the default C compiler brain-dead?
> Updated: 04/13/01
>
> The C compiler shipped with HP-UX is intended only to rebuild the kernel
> with, not for program development. To get a "real" C compiler, you have
> two options:
>
> o buy HP's ANSI C product
> o use the GNU C Compiler (gcc), downloadable in binary form from the
> Liverpool archive
>
> >
> > Thank you in advance for any information.
>
> Out of curiosity, why do you believe that removing a C-compiler from a
> UNIX system will make it more secure?
>
> andrew@lod.com

I also have to wonder why removing the C compiler would be a help
security-wise.

HP does have a program that was called "Security Patch Check" (don't
remember the product number) that can be used to hit HP, download a
catalog, and compare patches on your system against those HP says are
required for the "most secure" system. Later versions also make other
recommendations, for example, upgrade Java 2 RTE to version your version> and things of that nature. The product is free, and you
may get a bit more out of this method than ripping out things like the
C compiler.

If you're that interested, doesn't HP-UX still include a easy setup for
C2 security?

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

Re: HPUX kernel compile???

In article <1153703574.099535.266800@h48g2000cwc.googlegroups.com>,
Chuck Whealton wrote:

>Andrew wrote:

>> Out of curiosity, why do you believe that removing a C-compiler from a
>> UNIX system will make it more secure?

>I also have to wonder why removing the C compiler would be a help
>security-wise.

Well, it does make it more secure against rootkits that build their
exploits from C source, as has happened in the past on some Unix systems.
But of course it doesn't make the system any more secure against
rootkits that bother to check the OS version and copy in a prebuild
binary.


There is a narrow range in which the difference makes a difference.
Imagine a server that had a stack vulnerability in its web server
that could be usefully exploited to load in a relatively small file
but not a big file. Further imagine that the network firewall doesn't
permit outbound traffic to be initiated to useful places from which
to copy in additional files. In that combination of circumstances,
a C source exploit might be feasible where bringing in a binary
might not be.

(Caution: wet straw may spontaneously combust.)

Re: HPUX kernel compile???

Neil Jones writes:

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise. I
>come from the Linux camp. (I do love all flavors of Unix). My
>understanding is that HPUX is a closed source operating system. Has HP
>opened it's source code to open source (like Solaris)? If not, then
>what type of kernel code is being compiled by the C compiler? The
>sysadmin mentioned that this it is a stripped down compiler.


Traditional Unix systems were configured by defining the size of
certain tables in C code and them compiling and linking them.

Only a small part of the actual code was shipped with the OS; the
rest was shipped in binary form.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Re: HPUX kernel compile???

In comp.security.misc Neil Jones wrote:
> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed.

Why?

> The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)?

No. But kernel compiling is still used.

> If not, then
> what type of kernel code is being compiled by the C compiler?

Modules.

> The
> sysadmin mentioned that this it is a stripped down compiler.

Usually, it's just an ANSI compiler.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: HPUX kernel compile???

In comp.security.misc John Burns wrote:
> It's a basic K&R C compiler and it is indeed needed to build a kernel.

Oops? I think, the newer HP-UX versions have the aCC with them:

http://devrsrc1.external.hp.com/STK/impacts/i480.html

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: HPUX kernel compile???

John Burns wrote:
: It's a basic K&R C compiler and it is indeed needed to build a kernel.
: I don't know if it compiles anything or not. But I'll bet the linker is
: used to add new library modules.

It depends on what version of HP-UX. On 11.23, only the linker is used.

>From: Volker Birk
>I think, the newer HP-UX versions have the aCC with them:

Only on IPF.

>From: Casper H.S. Dik
>Traditional Unix systems were configured by defining the size of
>certain tables in C code and them compiling and linking them.
>Only a small part of the actual code was shipped with the OS; the
>rest was shipped in binary form.

Yes, that was 11.11 through 11.22 (and previous versions).

>From: Volker Birk
>Usually, it's just an ANSI compiler.

Not on HP-UX. For PA it is K&R for IPF it is now a stripped down
ANSI C compiler.

Re: HPUX kernel compile???

In article ,
Neil Jones wrote:
>If not, then
>what type of kernel code is being compiled by the C compiler? The
>sysadmin mentioned that this it is a stripped down compiler.

If it is like the older HP-UX computers that I once dealt with, the
cc compiler was used to compile a configuration file which was then
linked to the rest of the kernel objects / libraries to make a new
kernel. The configuration file had tunable parameters and such in it.

The cc compiler itself only handled old style K&R 1 C, not stuff like
function prototypes. It was capable of compiling gcc from source.

--
------------------------------------------------------------ ------------
Timothy J. Lee
Unsolicited bulk or commercial email is not welcome.
No warranty of any kind is provided with this message.

Re: HPUX kernel compile???

FWIW: HP offers a rootkit protection package, as well as other security
items, free of charge for 11iv1 and v2 as part of the "Internet
Express" package.

see hp.software.com

Re: HPUX kernel compile???

In comp.security.misc OldSchool wrote:
> FWIW: HP offers a rootkit protection package

How should this work?

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc