[pkg-bacula-devel] Hardening

Sven Hartge sven at svenhartge.de
Tue Nov 14 17:54:24 UTC 2017


Um 18:23 Uhr am 14.11.17 schrieb Carsten Leonhardt:
> Sven Hartge <sven at svenhartge.de> writes:
 
>> So for now the energy is better invested somewhere else, for example in
>> enabling hardening for all of bacula and not only bat.
 
> You probably refer to the patch "enable hardening for bat".
> 
> That's actually due to lintian that complained only about bat. The rest
> of the binaries at that time already got standard hardening "for free"
> by using debhelper compat v9 (1).

Hmm. Is my build chroot broken? Because when I compile bacula and lintian
the result, I get many lines like this (Yes, I know it is only of severity
I:nfo):

,----
| N: Processing binary package bacula-director (version 9.0.5+dfsg-4, arch amd64) ...
| I: bacula-director: hardening-no-fortify-functions usr/sbin/bacula-dir
| I: bacula-director: hardening-no-fortify-functions usr/sbin/bregex
| I: bacula-director: hardening-no-fortify-functions usr/sbin/bwild
| I: bacula-director: hardening-no-fortify-functions usr/sbin/dbcheck
| I: bacula-director: hardening-no-bindnow usr/sbin/bacula-dir
| I: bacula-director: hardening-no-bindnow usr/sbin/bregex
| I: bacula-director: hardening-no-bindnow usr/sbin/bwild
| I: bacula-director: hardening-no-bindnow usr/sbin/dbcheck
`----

Also, using hardening-check on binaries from the real Debian buildds I
get:

# hardening-check /usr/sbin/bacula-dir 
/usr/sbin/bacula-dir:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no, not found!

So relro and PIE is active, but not fortify or "-z,now".

When adding "export DEB_BUILD_MAINT_OPTIONS = hardening=+all" 
to debian/rules at least immediate binding is active.

But -- and this is very likely the *real* reason here -- I am massively
misunderstanding something here.

... (re-reading the Wiki) ...

Yes, I did, quoting https://wiki.debian.org/Hardening: "If your binary
does not make use of FORTIFY_SOURCE-protected glibc routines, it's
possible that "Fortify Source functions" will report "no", since there
were no functions used that included the glibc fortification routines."

This seems to be the case with Bacula. OK, case settled.

Concerning "immediate binding": I vaguely remember some problems with
Bacula, but I can't find the source for this "hunch" any more at the
moment. The same was IIRC true for linking with "--as-needed", something
with the private libraries broke when doing so. (But, again, my memory may
be failing me here.)

Grüße,
Sven.




More information about the pkg-bacula-devel mailing list