Hardening flags

Julien ÉLIE julien at trigofacile.com
Tue Dec 1 21:38:17 UTC 2020 

Hi Russ,

>> I'm also wondering whether a --with-pie configure option wouldn't be
>> useful to have.  It would be on by default, and would permit to easily
>> disable a PIE build when needed (for instance in architectures that do
>> not support it correctly).
> 
> I have no objections, but we could also wait to see if anyone cares and
> save the maintenance effort if no one asks for it.

:-)

With libperl.a built without -fPIC, linking with -pie fails for innd:

../libtool --mode=link /home/iulius/autobuild/bin/gcc-10.2.0/bin/gcc 
-pie -Wl,-z,relro -Wl,-z,now -o innd art.o cc.o chan.o icd.o innd.o 
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o 
status.o util.o wip.o 
/home/iulius/autobuild/inn-CURRENT-20201201/storage/libstorage.la 
/home/iulius/autobuild/inn-CURRENT-20201201/history/libinnhist.la 
/home/iulius/autobuild/inn-CURRENT-20201201/lib/libinn.la  -lz 
/home/iulius/autobuild/inn-CURRENT-20201201/lib/perl.o -Wl,-E 
-fstack-protector-strong -L/usr/local/lib 
-L/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE 
-lperl -lpthread -lnsl -ldl -lm -lcrypt -lutil

libtool: link: /home/iulius/autobuild/bin/gcc-10.2.0/bin/gcc -pie -Wl,-z 
-Wl,relro -Wl,-z -Wl,now -o .libs/innd art.o cc.o chan.o icd.o innd.o 
keywords.o lc.o nc.o newsfeeds.o ng.o perl.o proc.o python.o rc.o site.o 
status.o util.o wip.o 
/home/iulius/autobuild/inn-CURRENT-20201201/lib/perl.o -Wl,-E 
-fstack-protector-strong 
/home/iulius/autobuild/inn-CURRENT-20201201/storage/.libs/libstorage.so 
/home/iulius/autobuild/inn-CURRENT-20201201/history/.libs/libinnhist.so 
/home/iulius/autobuild/inn-CURRENT-20201201/lib/.libs/libinn.so -lz 
-L/usr/local/lib 
-L/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE 
-lperl -lpthread -lnsl -ldl -lm -lcrypt -lutil -Wl,-rpath 
-Wl,/usr/local/news/lib

/usr/bin/ld: 
/home/iulius/autobuild/bin/perl-5.32.0/lib/5.32.0/x86_64-linux/CORE/libperl.a(op.o): 
relocation R_X86_64_32S against `.rodata' can not be used when making a 
shared object; recompile with -fPIC



It means that Perl should at least be built with the following flags:
   ./Configure -des -Accflags=-fPIC
otherwise, building INN with Perl support fails if PIE is enabled...
Same thing for the default build of libpython, but not for others like 
libkrb5 or libdb that seem to include -fPIC in their default build options.

Should we care for that?
Notably when the error message asks to recompile Perl with -fPIC whereas 
passing --disable-hardening-flags at configure time to INN would do the job.

-- 
Julien ÉLIE

« Boire du café empêche de dormir. Par contre, dormir empêche de boire
   du café. » (Philippe Geluck)

More information about the inn-workers mailing list