On Fri, Apr 9, 2021 at 5:06 AM Laurent Bercot <ska-skaw...@skarnet.org> wrote: > > To make things perfectly clear: the modification I pushed to git also > applies to the ld invocations creating shared libraries, including > libskarnet.so. So with that change, skalibs or libutmps will not > pollute anything else. ;)
Sounds good. However I'm afraid that doesn't fix the problem for the few of us who statically link with skarnet libraries. ld -noexecstack is a blunt tool that works after the fact, like the execstack(8) tool (<https://man7.org/linux/man-pages/man8/execstack.8.html>). It's mainly intended to be used when the source code to the library, or executable, respectively, is not available. For anyone out there who may be interested in addressing the root cause of the issue, I did some more investigation and the problem lies in the Makefile's strip instructions which remove the GNU-stack section from the object files. Without the GNU-stack section the linker reverts to its backwards-compatible default which is to make the stack executable. Here is a patch to fix skalibs' Makefile for example: --- skalibs-2.10.0.2/Makefile 2020-01-27 17:20:44.000000000 +0100 +++ skalibs-2.10.0.2/Makefile.new 2021-04-09 15:03:17.811582318 +0200 @@ -70,10 +70,10 @@ strip: $(ALL_LIBS) ifneq ($(strip $(STATIC_LIBS)),) - exec $(STRIP) -x -R .note -R .comment -R .note.GNU-stack $(STATIC_LIBS) + exec $(STRIP) -x -R .note -R .comment $(STATIC_LIBS) endif ifneq ($(strip $(SHARED_LIBS)),) - exec $(STRIP) -R .note -R .comment -R .note.GNU-stack $(SHARED_LIBS) + exec $(STRIP) -R .note -R .comment $(SHARED_LIBS) endif install: install-data install-sysdeps install-dynlib install-lib install-include -- The same change needs to be applied to all skarnet Makefiles. Personally I just use strip --unneeded when I manually strip libraries and executables, statically or dynamically linked. This lets binutils figure out the details of what the (dynamic) linker actually needs, without requiring me to have any understanding of what the heck all those details are. This is also what libtool does, and although libtool is not the best tool in the world, it's pretty widely used without issues. This option may not be portable however, I don't know. Hope this helps, FWIW.