[debian-mysql] MySQL "hardening?"

[Otto Kekäläinen]

2015-04-03 21:03 GMT+03:00 Otto Kekäläinen <otto at seravo.fi>:
> Hello Ralf!
>
> 2015-04-02 17:53 GMT+03:00 Ralf G. R. Bergs <Ralf+Debian at bergs.biz>:
>> Hi guys.
>>
>> Is there any (documented?) security hardening you're applying to the
>> standard (upstream) distribution of MySQL when it's "Debianized?"
..
> I am though not sure that we are using the most optimal hardening
> flags. I am also not aware of any tools that can be used on binaries
> to test if they really are hardened (e.g. random memory positions) or
> not, because I suspect that some of the compiler hardening flags might
> not even have an effect at the moment.

Turns out there is a tool for this:

MySQL 5.5 in Debian unstable (5.5.42-1):
$ hardening-check /usr/bin/mysql
/usr/bin/mysql:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

$ hardening-check
./mysql-server-core-5.6_5.6.23-1~exp1~ubuntu5_amd64/usr/sbin/mysqld
./mysql-server-core-5.6_5.6.23-1~exp1~ubuntu5_amd64/usr/sbin/mysqld:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

$ hardening-check
./mariadb-server-core-10.0_10.0.16-2~exp1~ubuntu1_amd64/usr/sbin/mysqld
./mariadb-server-core-10.0_10.0.16-2~exp1~ubuntu1_amd64/usr/sbin/mysqld:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

I suspect that the hardening-wrapper -> dpkg-buildflags has not been
completed correctly.. I'll do some testing