Dear Maintainer, The hardening flags are partially missing because the build system ignores them in a few places.
The attached patch fixes the issue, if possible it should be sent upstream. To check if all flags were correctly enabled you can use `hardening-check` from the hardening-includes package and check the build log (hardening-check doesn't catch everything): $ hardening-check /usr/bin/sudoreplay /usr/bin/sudo /usr/bin/sudoedit ... /usr/bin/sudoreplay: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/sudo: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! /usr/bin/sudoedit: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no not found! ... (Position Independent Executable and Immediate binding is not enabled by default.) Use find -type f \( -executable -o -name \*.so\* \) -exec hardening-check {} + on the build result to check all files. Regards, Simon [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2]: https://wiki.debian.org/HardeningWalkthrough [3]: https://wiki.debian.org/Hardening -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Description: Use build flags from environment (dpkg-buildflags). Necessary for hardening flags. Author: Simon Ruderich <si...@ruderich.org> Last-Update: 2012-03-13 Index: sudo-1.8.3p2/src/Makefile.in =================================================================== --- sudo-1.8.3p2.orig/src/Makefile.in 2012-03-13 17:46:43.069036559 +0100 +++ sudo-1.8.3p2/src/Makefile.in 2012-03-13 17:47:12.949037698 +0100 @@ -101,7 +101,7 @@ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) sesh: sesh.o - $(CC) -o $@ sesh.o + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ sesh.o pre-install: Index: sudo-1.8.3p2/compat/Makefile.in =================================================================== --- sudo-1.8.3p2.orig/compat/Makefile.in 2012-03-13 17:46:43.069036559 +0100 +++ sudo-1.8.3p2/compat/Makefile.in 2012-03-13 17:47:12.949037698 +0100 @@ -35,6 +35,9 @@ # Usually -O and/or -g CFLAGS = @CFLAGS@ +# Linker flags +LDFLAGS = @LDFLAGS@ + # OS dependent defines DEFS = @OSDEFS@ @@ -62,19 +65,19 @@ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< libreplace.la: $(LTLIBOBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LTLIBOBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTLIBOBJS) -no-install siglist.c: mksiglist ./mksiglist > $@ mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h - $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ fnm_test: fnm_test.o libreplace.la - $(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ fnm_test.o libreplace.la globtest: globtest.o libreplace.la - $(LIBTOOL) --mode=link $(CC) -o $@ globtest.o libreplace.la + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ globtest.o libreplace.la @DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in @DEV@ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@ Index: sudo-1.8.3p2/common/Makefile.in =================================================================== --- sudo-1.8.3p2.orig/common/Makefile.in 2012-03-13 17:46:43.013036558 +0100 +++ sudo-1.8.3p2/common/Makefile.in 2012-03-13 17:47:12.949037698 +0100 @@ -35,6 +35,9 @@ # Usually -O and/or -g CFLAGS = @CFLAGS@ +# Linker flags +LDFLAGS = @LDFLAGS@ + # OS dependent defines DEFS = @OSDEFS@ @@ -56,7 +59,7 @@ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $< libcommon.la: $(LTOBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LTOBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LTOBJS) -no-install pre-install: Index: sudo-1.8.3p2/plugins/sudoers/Makefile.in =================================================================== --- sudo-1.8.3p2.orig/plugins/sudoers/Makefile.in 2012-03-13 17:46:42.985036557 +0100 +++ sudo-1.8.3p2/plugins/sudoers/Makefile.in 2012-03-13 17:47:12.949037698 +0100 @@ -159,7 +159,7 @@ (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile) libparsesudoers.la: $(LIBPARSESUDOERS_OBJS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(SUDOERS_LDFLAGS) $(LTLDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -export-symbols $(srcdir)/sudoers.sym -avoid-version -rpath $(plugindir)
pgpoAxrTmJvbc.pgp
Description: PGP signature