Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: Hardening flags (Julien ?LIE)
----------------------------------------------------------------------
Message: 1
Date: Tue, 10 Nov 2020 23:54:46 +0100
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: Hardening flags
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Russ,
>> It seems that adding "-fPIE -pie" in CFLAGS could be worthwhile (because
>> INN is setuid), not only for rnews.
>
> I think Debian just changes GCC to do this by default so that each
> application doesn't need to worry about it, although I'm not 100% sure. I
> know it used to be part of the hardening flags and isn't any more, but
> innd on Debian is still built PIE, so I think something makes it happen
> automatically.
>
> It's possible Fedora is now doing the same thing. I believe Ubuntu has
> been doing this for a while.
>
> (That said, I have no objections to adding the flags on platforms that
> support them. The very minor speed hit seems unlikely to affect INN in
> any significant way.)
Suggested addition in configure.ac:
dnl Add hardening flags, if supported by the compiler.
INN_PROG_CC_FLAG([-fPIE], [CFLAGS="${CFLAGS} -fPIE"
LDFLAGS="${LDFLAGS} -fPIE -pie"], [])
INN_PROG_CC_FLAG([-fstack-protector-strong],
[CFLAGS="${CFLAGS} -fstack-protector-strong"], [])
However, when building the test suite with -fPIE, I encounter an error:
../libtool --mode=link gcc -fPIE -pie
-L/home/iulius/work/cyrus-install/lib -o authprogs/ident.t
authprogs/ident-t.o tap/basic.o /home/iulius/work/inn/trunk/lib/libinn.la
libtool: link: gcc -fPIE -pie -o authprogs/.libs/ident.t
authprogs/ident-t.o tap/basic.o -L/home/iulius/work/cyrus-install/lib
/home/iulius/work/inn/trunk/lib/.libs/libinn.so -Wl,-rpath
-Wl,/home/iulius/work/test-inn-bdb/lib
/usr/bin/ld: authprogs/ident-t.o: relocation R_X86_64_32 against
`.rodata.str1.1' can not be used when making a shared object; recompile
with -fPIC
It seems that libtool automatically adds "--with-pic=both" to configure
flags:
--with-pic[=PKGS] try to use only PIC/non-PIC objects
[default=use both]
Adding "--with-pic=yes" to configure flags solves the build issue...
Is is the right thing to do? Forcing -fPIC with -fPIE?
> I've in general not tried to add hardening compiler flags to the INN build
> process since Debian injects them, but maybe it would be a good idea to
> import some of them (-fstack-protector-strong, -Wl,-z,relro, and
> -Wl,-z,now, for example).
To handle commas, there's the following change to add to rra-c-util:
--- m4/cc-flags.m4 (r?vision 10390)
+++ m4/cc-flags.m4 (copie de travail)
@@ -28,7 +28,7 @@
dnl Used to build the result cache name.
AC_DEFUN([_RRA_PROG_CC_FLAG_CACHE],
-[translit([rra_cv_compiler_c_$1], [-=+], [___])])
+[translit([rra_cv_compiler_c_$1], [-=+,], [____])])
dnl Check whether a given flag is supported by the compiler.
AC_DEFUN([RRA_PROG_CC_FLAG],
Which permits to add to configure.ac:
INN_PROG_CC_FLAG([-Wl,-z,relro],
[LDFLAGS="${LDFLAGS} -Wl,-z,relro"], [])
INN_PROG_CC_FLAG([-Wl,-z,now],
[LDFLAGS="${LDFLAGS} -Wl,-z,now"], [])
libtool transforms "-Wl,-z,relro -Wl,-z,now" to "-Wl,-z -Wl,relro -Wl,-z
-Wl,now" when linking, which seems to be the same.
--
Julien ?LIE
??Sum, ergo bibo?; bibo, ergo sum.??
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 125, Issue 4
*******************************************
