Hi, Moritz! On 01/06/12 18:50, marius adrian popa wrote: > ---------- Forwarded message ---------- > From: Moritz Muehlenhoff <[email protected]> > Date: Thu, Jan 5, 2012 at 10:46 PM > Subject: [pkg-firebird-general] Bug#654793: Hardening flags not fully enabled > To: Debian Bug Tracking System <[email protected]> > > > Source: firebird2.5 > Severity: important > > Hi, > I'm currently checking all packages, which had a DSA in the last > year to enable hardened build flags. firebird2.5 has already been > updated to use dpkg-buildflags, but I noticed that not all flags > are fully in effect. You can use the hardening-check scripts from > the package hardening includes: > > Out of the three hardening features from the Wheezy default set > (protected stack, fortified source and relro) not all are fully > applied, e.g. > > root@pisco:~# hardening-check /usr/sbin/fb_inet_server > /usr/sbin/fb_inet_server: > Stack protected: no, not found! > Fortify Source functions: unknown, no protectable libc functions used > Read-only relocations: yes > > root@pisco:~# hardening-check /usr/bin/fbsvcmgr > /usr/bin/fbsvcmgr: > Stack protected: yes > Fortify Source functions: no, no protected functions found! > Read-only relocations: yes >
This is how services manager is built originally. Compile: g++ -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -I../extern/icu/source/common -I../extern/icu/source/i18n -DNDEBUG -ggdb -DFB_SEND_FLAGS=MSG_NOSIGNAL -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -O3 -fno-omit-frame-pointer -pthread -pthread -fno-rtti -c ../src/utilities/fbsvcmgr.cpp -o ../temp/std/utilities/fbsvcmgr.o Link: g++ -pthread -pthread -Wl,-rpath,/opt/firebird/lib -Wl,-rpath,/opt/firebird/intl ../temp/std/utilities/fbsvcmgr.o ../temp/std/common/classes/fb_string.o ../temp/std/common/classes/alloc.o ../temp/std/common/fb_exception.o ../temp/std/common/utils.o ../temp/std/common/classes/locks.o ../temp/std/jrd/path_utils.o ../temp/std/common/classes/semaphore.o ../temp/std/common/classes/SafeArg.o ../temp/std/common/classes/MsgPrint.o ../temp/std/common/classes/BaseStream.o ../temp/std/common/classes/ClumpletReader.o ../temp/std/common/classes/ClumpletWriter.o ../temp/std/common/thd.o ../temp/std/common/classes/MetaName.o ../temp/std/common/StatusHolder.o ../temp/std/common/classes/init.o ../temp/std/common/StatusArg.o ../gen/firebird/lib/libfbembed.so.2.5.1 -o ../gen/firebird/bin/fbsvcmgr -L../gen/firebird/lib -lfbembed -lm -ldl -lcurses I have no idea, what flag could conflict with flags, wanted by you. Take into an account, that almost all the rest of utilities are built in the same way. For example, this is how interactive SQL interpreter is built: g++ -I../src/include/gen -I../src/include -I../src/vulcan -DNAMESPACE=Vulcan -I../extern/icu/source/common -I../extern/icu/source/i18n -DNDEBUG -ggdb -DFB_SEND_FLAGS=MSG_NOSIGNAL -DLINUX -DAMD64 -pipe -MMD -fPIC -fmessage-length=0 -O3 -fno-omit-frame-pointer -pthread -pthread -fno-rtti -c ../temp/std/isql/isql.cpp -o ../temp/std/isql/isql.o g++ -pthread -pthread -Wl,-rpath,/opt/firebird/lib -Wl,-rpath,/opt/firebird/intl ../temp/std/isql/extract.o ../temp/std/isql/isql.o ../temp/std/isql/show.o ../temp/std/isql/Extender.o ../temp/std/isql/InputDevices.o ../temp/std/isql/ColList.o ../temp/std/isql/OptionsBase.o ../temp/std/jrd/path_utils.o ../temp/std/common/classes/ClumpletReader.o ../temp/std/common/classes/ClumpletWriter.o ../temp/std/common/fb_exception.o ../temp/std/common/thd.o ../temp/std/common/classes/MetaName.o ../temp/std/common/StatusHolder.o ../temp/std/common/classes/init.o ../temp/std/common/StatusArg.o ../temp/std/common/utils.o ../temp/std/common/classes/alloc.o ../temp/std/common/classes/locks.o ../temp/std/common/classes/semaphore.o ../temp/std/common/classes/fb_string.o ../temp/std/common/classes/timestamp.o ../temp/std/common/classes/PublicHandle.o ../temp/std/common/classes/TempFile.o ../temp/std/common/classes/UserBlob.o ../temp/std/common/classes/SafeArg.o ../temp/std/common/classes/MsgPrint.o ../temp/std/common/classes/BaseStream.o -o ../gen/firebird/bin/isql -L../gen/firebird/lib -lfbembed ../gen/firebird/lib/libedit.a -lm -ldl -lcurses So I do not see why do that 2 particular utilities do not have desired for you behavior. > root@pisco:~# hardening-check /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2 > /usr/lib/x86_64-linux-gnu/libfbclient.so.2.5.2: > Stack protected: yes > Fortify Source functions: no, no protected functions found! > Read-only relocations: yes > > The reason is likely that some parts of Firebird build system hardcode > specific flags, which nullify the hardened build flags? What flags and how do you add to build firebird? If they are really useful, may be the best will be to use them in original build? Alex. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
