[Pkg-giraffe-discuss] preparations for kopanocore 8.3.x (or 8.4.x)
Guido Günther
agx at sigxcpu.org
Mon Jul 24 06:49:30 UTC 2017
Hi,
On Sun, Jul 23, 2017 at 12:16:24PM +0200, Carsten Schoenert wrote:
[..snip..]
> > I: kopano-archiver: hardening-no-fortify-functions usr/sbin/kopano-archiver
> > I: kopano-dagent: hardening-no-fortify-functions usr/sbin/kopano-dagent
> > I: kopano-monitor: hardening-no-fortify-functions usr/sbin/kopano-monitor
> > I: kopano-spooler: hardening-no-fortify-functions usr/sbin/kopano-spooler
> > I: php-mapi: hardening-no-fortify-functions usr/lib/php/20151012/mapi.so
> > I: kopano-ical: hardening-no-fortify-functions usr/sbin/kopano-ical
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/kopano/libkcclient.so
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcarchiver.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcarchivercore.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcfreebusy.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkchl.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcicalmapi.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcmapi.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcserver.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcsoap.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libkcssl.so.0.0.0
> > I: kopano-libs: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/libmapi.so.1.0.0
> > W: kopano-libs: package-name-doesnt-match-sonames libkcarchiver0 libkcarchivercore0 libkcfreebusy0 libkchl0 libkcicalmapi0 libkcinetmapi0 libkcmapi0 libkcpyconv0 libkcpydirector0 libkcserver0 libkcsoap0 libkcssl0 libkcsync0 libkcutil0 libmapi1
> > X: kopano-libs: shlib-calls-exit usr/lib/x86_64-linux-gnu/libkcserver.so.0.0.0
> > X: kopano-libs: shlib-calls-exit usr/lib/x86_64-linux-gnu/libkcssl.so.0.0.0
> > I: kopano-contacts: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/kopano/libkccontacts.so
> > I: kopano-utils: hardening-no-fortify-functions usr/bin/kopano-fsck
> > I: kopano-utils: hardening-no-fortify-functions usr/bin/kopano-passwd
> > I: kopano-utils: hardening-no-fortify-functions usr/bin/kopano-stats
> > I: kopano-utils: hardening-no-fortify-functions usr/sbin/kopano-admin
> > W: kopano-utils: binary-without-manpage usr/sbin/kopano-cachestat
> > W: kopano-utils: binary-without-manpage usr/bin/kopano-migration-imap
> > I: kopano-server: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/kopano/ldapplugin.so
> > I: kopano-gateway: hardening-no-fortify-functions usr/sbin/kopano-gateway
I thought lets fix these but they're caused by:
common/include/kopano/platform.h
#ifdef _FORTIFY_SOURCE
#undef _FORTIFY_SOURCE
#endif
the included reasoning makes me wonder if redefining __FD_SETSIZE is
such a good idea:
https://sourceware.org/ml/libc-alpha/2013-03/msg00556.html
The select manpage (and a look at e.g. ./x86_64-linux-gnu/sys/select.h)
confirms this:
POSIX allows an implementation to define an upper limit, advertised
via the constant FD_SETSIZE, on the range of file descriptors that
can be specified in a file descriptor set. The Linux kernel imposes
no fixed limit, but the glibc implementation makes fd_set a
fixed-size type, with FD_SETSIZE defined as 1024, and the FD_*()
macros operating according to that limit. To monitor file
descriptors greater than 1023, use poll(2) instead.
I'm inclinde to drop the madness and not redefine __FD_SETSIZE and
therefore have hardening for a network facing service.
Patch attached. Marc, can you discuss this to upstream kopano as well?
At least the automated tests I run passed.
Cheers,
-- Guido
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Don-t-redefine-__FD_SETSIZE.patch
Type: text/x-diff
Size: 1763 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-giraffe-discuss/attachments/20170724/cb421171/attachment.patch>
More information about the Pkg-giraffe-discuss
mailing list