On Tue, Mar 20, 2012 at 10:19:51AM -0400, Simon Deziel wrote:
> On 12-03-20 08:30 AM, Alberto Gonzalez Iniesta wrote:
> > On Mon, Mar 19, 2012 at 05:00:46PM -0400, Simon Deziel wrote:
> >> I just installed a fresh VM to test this and hardening-check still shows
> >> the same (bad) output :
> >>
> >> # dpkg -l| grep openvpn
> >> ii openvpn 2.2.1-7 virtual
> >> private network daemon
> >
> >> Am I doing something wrong ?
> >
> > Dunno. But the output is NOT the same:
> > # dpkg -i openvpn_2.2.1-5_i386.deb
> > # hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so
> > /usr/lib/openvpn/openvpn-auth-pam.so | grep yes
> > /usr/sbin/openvpn:
> >
> >
> > Position Independent Executable: no, normal executable!
> >
> >
> > Stack protected: yes
> >
> >
> > Fortify Source functions: yes (some protected functions found)
> >
> >
> > Read-only relocations: yes
> >
> >
> > Immediate binding: no not found!
> >
> >
> > /usr/lib/openvpn/openvpn-down-root.so:
> >
> >
> > Position Independent Executable: no, regular shared library (ignored)
> >
> >
> > Stack protected: no, not found!
> >
> >
> > Fortify Source functions: no, only unprotected functions found!
> >
> >
> > Immediate binding: no not found!
> > #
> >
> > The difference is clear. Plugins get "Fortify Source functions:" and
> > "Read-only relocations:". Only openvpn-auth-pam.so gets "Stack
> > protected", but I'm not an expert on this issue so I don't know the
> > reason for that.
>
> Right, I indeed missed the improvement for openvpn-auth-pam.so. As you
> pointed out, openvpn-down-root.so still has an executable stack.
>
> What concerns me more is that the network facing daemon is not compiled
> with "PIE" and "BINDNOW" as suggested in
> https://wiki.debian.org/Hardening#dpkg-buildflags :
>
> "When building programs that handle untrusted data (parsers, network
> listeners, etc.), or run with elevated privileges (PAM, X, etc.), please
> enable "PIE" and "BINDNOW" in the build. The "all" option enables "PIE"
> and "BINDNOW" and future hardening flags: "
>
> export DEB_BUILD_MAINT_OPTIONS = hardening=+all
>
> I am also far from an expert on this but I would appreciate if someone
> could elaborate/explain why PIE and BINDNOW were not enabled ?
>
> Moritz Muehlenhoff, if you could shed some light on this that would be
> greatly appreciated.
PIE doesn't work for all packages and causes build failures. If
"hardening=+all" works for openvpn it's recommended to enable it.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
