Bug#656656: Please enabled hardened build flags

Russ Allbery rra at debian.org
Fri Jan 27 18:00:53 UTC 2012 

Russ Allbery <rra at debian.org> writes:
> "Cantor, Scott" <cantor.2 at osu.edu> writes:

>> Not that it's necessarily likely here, but with the --silent flag on to
>> limit noise, you actually can't tell what the actual compiler command
>> is.  There are libtool bugs, usually on Solaris one finds, that break
>> the use of some flags. I guess it's possible something like that could
>> be happening.

> True.  Okay, let me go do a manual build where I can remove --silent and
> be sure that things are actually being passed down to the compiler.

Without --silent, libtool definitely claims to be sending that flag:

/bin/bash ../libtool --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. -I..   -pthread -g -Wall -O2 -O2 -DNDEBUG -D_FORTIFY_SOURCE=2    -pthread -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -O2 -DNDEBUG -c -o AbstractComplexElement.lo AbstractComplexElement.cpp
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -pthread -g -Wall -O2 -O2 -DNDEBUG -D_FORTIFY_SOURCE=2 -pthread -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -O2 -DNDEBUG -c AbstractComplexElement.cpp  -fPIC -DPIC -o .libs/AbstractComplexElement.o

and I suspended the build in the middle of compiling a source file, and
that flag is there in the process arguments:

eagle     9987  0.0  0.0   2088   512 pts/10   T    09:54   0:00 g++ -DHAVE_CONFIG_H -I. -I.. -pthread -g -Wall -O2 -O2 -DNDEBUG -D_FORTIFY_SOURCE=2 -pthread -Wall -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -O2 -DNDEBUG -c AbstractComplexElement.cpp -fPIC -DPIC -o .libs/AbstractComplexElement.o

but hardening-check returns the same result:

windlord:~/dvl/debian/xmltooling> hardening-check xmltooling/.libs/libxmltooling.so
xmltooling/.libs/libxmltooling.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: no, no protected functions found!
 Read-only relocations: yes
 Immediate binding: no not found!

so if there's a failure here, it seems to be somewhere inside g++, or a
need to include more than just -D_FORTIFY_SOURCE=2 to enable this.

(Moritz, do you know if bindnow is safe for shared libraries?  I know pie
isn't, since it conflicts with PIC, but I've only been omitting bindnow
because I wasn't sure.  I'm not concerned with the possible performance
issues; startup cost isn't significant for the known users of these
libraries.)

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list