On 12-03-20 08:30 AM, Alberto Gonzalez Iniesta wrote: > On Mon, Mar 19, 2012 at 05:00:46PM -0400, Simon Deziel wrote: >> I just installed a fresh VM to test this and hardening-check still shows >> the same (bad) output : >> >> # dpkg -l| grep openvpn >> ii openvpn 2.2.1-7 virtual >> private network daemon > >> Am I doing something wrong ? > > Dunno. But the output is NOT the same: > # dpkg -i openvpn_2.2.1-5_i386.deb > # hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so > /usr/lib/openvpn/openvpn-auth-pam.so | grep yes > /usr/sbin/openvpn: > > > Position Independent Executable: no, normal executable! > > > Stack protected: yes > > > Fortify Source functions: yes (some protected functions found) > > > Read-only relocations: yes > > > Immediate binding: no not found! > > > /usr/lib/openvpn/openvpn-down-root.so: > > > Position Independent Executable: no, regular shared library (ignored) > > > Stack protected: no, not found! > > > Fortify Source functions: no, only unprotected functions found! > > > Read-only relocations: no, not found! > > > Immediate binding: no not found! > > > /usr/lib/openvpn/openvpn-auth-pam.so: > > > Position Independent Executable: no, regular shared library (ignored) > > > Stack protected: no, not found! > > > Fortify Source functions: no, only unprotected functions found! > > > Read-only relocations: no, not found! > > > Immediate binding: no not found! > # > > # dpkg -i openvpn_2.2.1-7_i386.deb > # hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so > /usr/lib/openvpn/openvpn-auth-pam.so | grep yes > /usr/sbin/openvpn: > > > Position Independent Executable: no, normal executable! > > > Stack protected: yes > > > Fortify Source functions: yes (some protected functions found) > > > Read-only relocations: yes > > > Immediate binding: no not found! > > > /usr/lib/openvpn/openvpn-down-root.so: > > > Position Independent Executable: no, regular shared library (ignored) > > > Stack protected: no, not found! > > > Fortify Source functions: yes (some protected functions found) > > > Read-only relocations: yes > > > Immediate binding: no not found! > > > /usr/lib/openvpn/openvpn-auth-pam.so: > > > Position Independent Executable: no, regular shared library (ignored) > > > Stack protected: yes > > > Fortify Source functions: yes (some protected functions found) > > > Read-only relocations: yes > > > Immediate binding: no not found! > # > > The difference is clear. Plugins get "Fortify Source functions:" and > "Read-only relocations:". Only openvpn-auth-pam.so gets "Stack > protected", but I'm not an expert on this issue so I don't know the > reason for that.
Right, I indeed missed the improvement for openvpn-auth-pam.so. As you pointed out, openvpn-down-root.so still has an executable stack. What concerns me more is that the network facing daemon is not compiled with "PIE" and "BINDNOW" as suggested in https://wiki.debian.org/Hardening#dpkg-buildflags : "When building programs that handle untrusted data (parsers, network listeners, etc.), or run with elevated privileges (PAM, X, etc.), please enable "PIE" and "BINDNOW" in the build. The "all" option enables "PIE" and "BINDNOW" and future hardening flags: " export DEB_BUILD_MAINT_OPTIONS = hardening=+all I am also far from an expert on this but I would appreciate if someone could elaborate/explain why PIE and BINDNOW were not enabled ? Moritz Muehlenhoff, if you could shed some light on this that would be greatly appreciated. Regards, Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
