Odd issue with pod2man when building on Fedora build server
Julien ÉLIE
julien at trigofacile.com
Sun Oct 5 17:53:44 UTC 2014
Hi Russ,
>>> I suspect this is because INN is setuid. However, I don't think
>>> there's any reason not to build all of INN with -fPIE -pie if that's
>>> what you want (and likewise with other hardening flags), so I would
>>> just put that into CFLAGS during configure time.
>
>> Isn't there a risk that building with '-fPIE -pie' introduces
>> instability at runtime? I read at
>> <https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags>
>> that some code does not function properly when PIE is used. Probably
>> code that is position-dependant, but how can we be sure that no part of
>> INN uses that?
>
> My experience is that you'll know if this happens, since the binary will
> exit immediately with a bus error when run. I build all my packages for
> Debian with PIE by default now, and have only run into one package (GNU
> Backgammon) that didn't work, and I suspect that's because it has some
> assembly for speeding up some parts of the game engine. If you're writing
> straight C and not doing anything exciting, PIE really should work.
Looking at adding PIE to INN, I see:
http://mainisusuallyafunction.blogspot.fr/2012/05/automatic-binary-hardening-with.html
mentioning that PIE can lead to drastic slowdown. It could therefore be
problematic for news admins that care a lot about peering fast...
A few projets have added an --enable-gcc-hardening flag to use specific
hardening flags when building and linking.
Should we do the same for INN, for instance with a --with-hardening
configure flag?
Then we would enable it by default if gcc (or any compiler that makes
autoconf set $GCC to "yes") is used, and set relevant hardening flags.
If one does not want to use hardening, he would add the
--without-hardening flag to configure. Useful for instance to
deactivate that when building with clang; it sets $GCC to "yes" but does
not recognize all the flags (like -pie).
Does it sound the right thing to do to harden INN?
--
Julien ÉLIE
« Internet restera toujours un joujou pour les universitaires. »
(1991)
More information about the inn-workers
mailing list