Hardening flags
Julien ÉLIE
julien at trigofacile.com
Tue Dec 1 21:38:17 UTC 2020
Hi Russ,
>> I'm also wondering whether a --with-pie configure option wouldn't be
>> useful to have. It would be on by default, and would permit to easily
>> disable a PIE build when needed (for instance in architectures that do
>> not support it correctly).
>
> I have no objections, but we could also wait to see if anyone cares and
> save the maintenance effort if no one asks for it.
:-)
With libperl.a built without -fPIC, linking with -pie fails for innd:
../libtool --mode=link /home/iulius/autobuild/bin/gcc-10.2.0/bin/gcc
-pie -Wl,-z,relro -Wl,-z,now -o innd art.o cc.o chan.o icd.o innd.o
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o
status.o util.o wip.o
/home/iulius/autobuild/inn-CURRENT-20201201/storage/libstorage.la
/home/iulius/autobuild/inn-CURRENT-20201201/history/libinnhist.la
/home/iulius/autobuild/inn-CURRENT-20201201/lib/libinn.la -lz
/home/iulius/autobuild/inn-CURRENT-20201201/lib/perl.o -Wl,-E
-fstack-protector-strong -L/usr/local/lib
-L/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE
-lperl -lpthread -lnsl -ldl -lm -lcrypt -lutil
libtool: link: /home/iulius/autobuild/bin/gcc-10.2.0/bin/gcc -pie -Wl,-z
-Wl,relro -Wl,-z -Wl,now -o .libs/innd art.o cc.o chan.o icd.o innd.o
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o
status.o util.o wip.o
/home/iulius/autobuild/inn-CURRENT-20201201/lib/perl.o -Wl,-E
-fstack-protector-strong
/home/iulius/autobuild/inn-CURRENT-20201201/storage/.libs/libstorage.so
/home/iulius/autobuild/inn-CURRENT-20201201/history/.libs/libinnhist.so
/home/iulius/autobuild/inn-CURRENT-20201201/lib/.libs/libinn.so -lz
-L/usr/local/lib
-L/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE
-lperl -lpthread -lnsl -ldl -lm -lcrypt -lutil -Wl,-rpath
-Wl,/usr/local/news/lib
/usr/bin/ld:
/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE/libperl.a(op.o):
relocation R_X86_64_32S against `.rodata' can not be used when making a
shared object; recompile with -fPIC
It means that Perl should at least be built with the following flags:
./Configure -des -Accflags=-fPIC
otherwise, building INN with Perl support fails if PIE is enabled...
Same thing for the default build of libpython, but not for others like
libkrb5 or libdb that seem to include -fPIC in their default build options.
Should we care for that?
Notably when the error message asks to recompile Perl with -fPIC whereas
passing --disable-hardening-flags at configure time to INN would do the job.
--
Julien ÉLIE
« Boire du café empêche de dormir. Par contre, dormir empêche de boire
du café. » (Philippe Geluck)
More information about the inn-workers
mailing list