Modern versions of GCC/binutils/... support flags which allow building
"Position Independent Executables". This a Security Feature (TM) which
means that executables can be loaded at non-fixed locations, making it
harder to write some types of exploit.
It's slightly awkward to build httpd like this, since the compiler flag
-fPIE must only be used when compiling an object which will not be
linked into a shared object i.e. libapr or any DSO. Below is a patch
which threads the flags into the right places and adds a configure flag
"--enable-pie" to turn it all on.
(it's an optional feature since PIE binaries confuse some debuggers so
you don't necessarily want it on-by-default even if the toolchain
supports the flags)
Any objections for committing to the trunk?
Index: configure.in
===================================================================
--- configure.in (revision 125927)
+++ configure.in (working copy)
@@ -394,6 +394,29 @@
APR_ADDTO(CPPFLAGS, -DAP_DEBUG)
])dnl
+dnl Conditionally enable PIE support for GNU toolchains.
+AC_ARG_ENABLE(pie,APACHE_HELP_STRING(--enable-pie,Build httpd as a Position
Independent Executable))
+if test "$enable_pie" = "yes"; then
+ AC_CACHE_CHECK([whether $CC accepts PIE flags], [ap_cv_cc_pie], [
+ save_CFLAGS=$CFLAGS
+ save_LDFLAGS=$LDFLAGS
+ CFLAGS="$CFLAGS -fPIE"
+ LDFLAGS="$LDFLAGS -pie"
+ AC_TRY_RUN([static int foo[30000]; int main () { return 0; }],
+ [ap_cv_cc_pie=yes], [ap_cv_cc_pie=no], [ap_cv_cc_pie=yes])
+ CFLAGS=$save_CFLAGS
+ LDFLAGS=$save_LDFLAGS
+ ])
+ if test "$ap_cv_cc_pie" = "yes"; then
+ PICFLAGS="-fPIE"
+ PILDFLAGS="-pie"
+ else
+ AC_ERROR([--enable-pie requested but $CC failed using PIE flags])
+ fi
+fi
+AC_SUBST(PICFLAGS)
+AC_SUBST(PILDFLAGS)
+
prefix="$orig_prefix"
APACHE_ENABLE_MODULES
Index: build/rules.mk.in
===================================================================
--- build/rules.mk.in (revision 125927)
+++ build/rules.mk.in (working copy)
@@ -31,18 +31,21 @@
# Compile commands
-COMPILE = $(CC) $(ALL_CFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES)
-CXX_COMPILE = $(CXX) $(ALL_CXXFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES)
+BASE_CC = $(CC) $(ALL_CFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES)
+BASE_CXX = $(CXX) $(ALL_CXXFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES)
-SH_COMPILE = $(LIBTOOL) --mode=compile $(COMPILE) @SHLTCFLAGS@ -c $< &&
touch $@
-SH_CXX_COMPILE = $(LIBTOOL) --mode=compile $(CXX_COMPILE) @SHLTCFLAGS@ -c $<
&& touch $@
+COMPILE = $(BASE_CC) @PICFLAGS@
+CXX_COMPILE = $(BASE_CXX) @PICFLAGS@
+SH_COMPILE = $(LIBTOOL) --mode=compile $(BASE_CC) @SHLTCFLAGS@ -c $< &&
touch $@
+SH_CXX_COMPILE = $(LIBTOOL) --mode=compile $(BASE_CXX) @SHLTCFLAGS@ -c $< &&
touch $@
+
LT_COMPILE = $(LIBTOOL) --mode=compile $(COMPILE) @LTCFLAGS@ -c $< &&
touch $@
LT_CXX_COMPILE = $(LIBTOOL) --mode=compile $(CXX_COMPILE) @LTCFLAGS@ -c $< &&
touch $@
# Link-related commands
-LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) $(LT_LDFLAGS)
$(ALL_LDFLAGS) -o $@
+LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) @PILDFLAGS@
$(LT_LDFLAGS) $(ALL_LDFLAGS) -o $@
SH_LINK = $(SH_LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) $(LT_LDFLAGS)
$(ALL_LDFLAGS) $(SH_LDFLAGS) $(CORE_IMPLIB) $(SH_LIBS) -o $@
MOD_LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) -static $(LT_LDFLAGS)
$(ALL_LDFLAGS) -o $@
