I brought this topic up the other day and only got a single response
(thanks to Aaron Walker :-) ) on the subject. At the end of this email
is my original question and the response that I received.
> Hello people ,
>
> This pops up after emerging xorg-6.8.1.901 , xorg-6.8.1.902 , and
> probably others , but I am sure only about these two.
>
> QA Notice: /usr/X11R6/bin/Xorg is setXid, dynamically linked and using
> lazy bindings.
> This combination is generally discouraged. Try: LDFLAGS='-Wl,-z,now'
> emerge xorg-x11
>
> What does this mean ? Should I put LDFLAGS='-Wl,-z,now'
> in /etc/make.conf ( don't want to type it every time ) ? And if this
> LDFLAGS are good , why not make the ebuild set them , or at least tell
> me BEFORE everything is compiled and installed.
>
>
>
> --
> Thanks,
> Ivan Yosifov.
>
>
---------------------------------------------------------------------------
> From:
> Tres Melton
> <[EMAIL PROTECTED]>
> To:
> [EMAIL PROTECTED]
> Subject:
> Per package environment
> variables
> Date:
> Mon, 03 Jan 2005 05:18:14 -0700
>
> While emerging something I received the following message:
>
> QA Notice: /usr/bin/sudo is setXid, dynamically linked and
> using lazy
> bindings. This combination is generally discouraged. Try:
> LDFLAGS='-Wl,-z,now' emerge sudo
>
> My questions are:
> 1) Is there a USE variable that enables safe linking of
> SUID
> packages
> automatically?
> 2) Is there a file like /etc/portage/package.env-var
> where
> environment
> variables can be set (or appended to) on a per-package basis?
> The
> suggestion given above is not remembered anymore than setting
> a USE flag
> on the command line is. It is also somewhat flawed when
> emerging the
> world and I don't want those link flags applied to every
> package that
> needs updating in my world, just the ones that will be
> installed SUID.
> 3) Is there a list of packages somewhere that should be
> linked in
> this
> manner? If I'm working on the computer then I can change over
> to the
> terminal doing the emerge and restart it with the safe link
> flags but
> most of the time I never notice.
> 4) Is there someway to search the emerge logs for either
> the notice
> above or for the lazy link flags and then cross reference them
> with
> every SUID program that has been installed?
>
> Thanks in advance. :-)
>
> --
> Tres Melton
> [EMAIL PROTECTED]
>
>
-----------------------------------------------------------------------------
> From:
> Aaron Walker
> <[EMAIL PROTECTED]>
> To:
> [EMAIL PROTECTED]
> Subject:
> Re: [gentoo-user] Per package
> environment variables
> Date:
> Tue, 04 Jan 2005 04:24:58 -0500
> (02:24 MST)
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tres Melton wrote:
> | While emerging something I received the following message:
> |
> | QA Notice: /usr/bin/sudo is setXid, dynamically linked and
> using lazy
> | bindings. This combination is generally discouraged. Try:
> | LDFLAGS='-Wl,-z,now' emerge sudo
> |
> | My questions are:
> | 1) Is there a USE variable that enables safe linking of
> SUID
> | packages
> | automatically?
>
> No (see bottom for explanation).
>
> | 2) Is there a file like /etc/portage/package.env-var
> where
> | environment
> | variables can be set (or appended to) on a per-package
> basis? The
> | suggestion given above is not remembered anymore than
> setting a USE flag
> | on the command line is. It is also somewhat flawed when
> emerging the
> | world and I don't want those link flags applied to every
> package that
> | needs updating in my world, just the ones that will be
> installed SUID.
>
> I vaguely remember someone hacking something together to do
> this. You might
> try browsing through the gentoo-dev ML archives. I know that
> this has been
> discussed before.
>
> | 3) Is there a list of packages somewhere that should be
> linked in
> | this
> | manner? If I'm working on the computer then I can change
> over to the
> | terminal doing the emerge and restart it with the safe link
> flags but
> | most of the time I never notice.
>
> No.
>
> | 4) Is there someway to search the emerge logs for
> either the notice
> | above or for the lazy link flags and then cross reference
> them with
> | every SUID program that has been installed?
>
> The only way this would be possible, would be to set
> PORT_LOGDIR and then maybe
> setup a cron job to grep the logs. Maybe something like
>
> grep -r setXid ${PORT_LOGDIR}
>
> and of course replace PORT_LOGDIR with the appropriate
> directory.
>
> All that said, it's not the user's responsibility to set
> LDFLAGS to solve the
> lazy binding issue. This is something that should be done in
> the ebuild (via
> the append-ldflags function from flag-o-matic.eclass). When
> finding an ebuild
> that doesn't, the proper course of action would be to submit a
> bug at
> http://bugs.gentoo.org/.
>
> Cheers
> - --
> When we talk of tomorrow, the gods laugh.
>
> Aaron Walker <
> [EMAIL PROTECTED] > http://dev.gentoo.org/~ka0ttic/
> Gentoo/BSD | cron |
> shell-tools http://butsugenjitemple.org/~ka0ttic/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
>
> iD8DBQFB2mDqC3poscuANHARAkNFAKC7BF0633a3ygsFlkXx9KpV8srNgQCfZBNy
> P3/mPpXA48CBB3B2lO6cI2c=
> =pWxA
> -----END PGP SIGNATURE-----
>
>
Those messages are scattered throughout the system in many places but I
haven't taken the time to file bug reports as suggested because the only
other person that uses my computer locally is my girlfriend and I have
to keep telling her not to install Micro$oft plug-ins into Mozilla
because that is what keeps blowing up her desktop. (And she wonders why
I will not give her my passwords for the machine!) She is not someone
capable of creating an exploit for that vulnerability, or any other one.
--
cheers,
boater
--
[email protected] mailing list
