On 12-03-21 03:03 PM, Moritz Mühlenhoff wrote: > On Tue, Mar 20, 2012 at 10:19:51AM -0400, Simon Deziel wrote: >> On 12-03-20 08:30 AM, Alberto Gonzalez Iniesta wrote: >>> On Mon, Mar 19, 2012 at 05:00:46PM -0400, Simon Deziel wrote: >>>> I just installed a fresh VM to test this and hardening-check still shows >>>> the same (bad) output : >>>> >>>> # dpkg -l| grep openvpn >>>> ii openvpn 2.2.1-7 virtual >>>> private network daemon >>> >>>> Am I doing something wrong ? >>> >>> Dunno. But the output is NOT the same: >>> # dpkg -i openvpn_2.2.1-5_i386.deb >>> # hardening-check /usr/sbin/openvpn /usr/lib/openvpn/openvpn-down-root.so >>> /usr/lib/openvpn/openvpn-auth-pam.so | grep yes >>> /usr/sbin/openvpn: >>> >>> >>> Position Independent Executable: no, normal executable! >>> >>> >>> Stack protected: yes >>> >>> >>> Fortify Source functions: yes (some protected functions found) >>> >>> >>> Read-only relocations: yes >>> >>> >>> Immediate binding: no not found! >>> >>> >>> /usr/lib/openvpn/openvpn-down-root.so: >>> >>> >>> Position Independent Executable: no, regular shared library (ignored) >>> >>> >>> Stack protected: no, not found! >>> >>> >>> Fortify Source functions: no, only unprotected functions found! >>> >>> >>> Immediate binding: no not found! >>> # >>> >>> The difference is clear. Plugins get "Fortify Source functions:" and >>> "Read-only relocations:". Only openvpn-auth-pam.so gets "Stack >>> protected", but I'm not an expert on this issue so I don't know the >>> reason for that. >> >> Right, I indeed missed the improvement for openvpn-auth-pam.so. As you >> pointed out, openvpn-down-root.so still has an executable stack. >> >> What concerns me more is that the network facing daemon is not compiled >> with "PIE" and "BINDNOW" as suggested in >> https://wiki.debian.org/Hardening#dpkg-buildflags : >> >> "When building programs that handle untrusted data (parsers, network >> listeners, etc.), or run with elevated privileges (PAM, X, etc.), please >> enable "PIE" and "BINDNOW" in the build. The "all" option enables "PIE" >> and "BINDNOW" and future hardening flags: " >> >> export DEB_BUILD_MAINT_OPTIONS = hardening=+all >> >> I am also far from an expert on this but I would appreciate if someone >> could elaborate/explain why PIE and BINDNOW were not enabled ? >> >> Moritz Muehlenhoff, if you could shed some light on this that would be >> greatly appreciated. > > PIE doesn't work for all packages and causes build failures. If > "hardening=+all" works for openvpn it's recommended to enable it.
The test build with PIE and BINDNOW worked well. The daemon binary was tested as part of the built-in tests (loopback VPN) and on my own VPN server. Thanks a lot Moritz for the clarifications. I have attach the patch to enable PIE and BINDNOW. Here are the hardening-check results : $ hardening-check /usr/sbin/openvpn /usr/sbin/openvpn: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes $ hardening-check /usr/lib/openvpn/openvpn-auth-pam.so /usr/lib/openvpn/openvpn-auth-pam.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes $ hardening-check /usr/lib/openvpn/openvpn-down-root.so /usr/lib/openvpn/openvpn-down-root.so: Position Independent Executable: no, regular shared library (ignored) Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes All the above looks good except that the openvpn-down-root.so does not have the "Stack protected". I am inclined to think that's a false positive as the correct flags (-fstack-protector, etc) are passed during compilation : /usr/bin/make -C plugin/down-root/ CFLAGS="-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security" CPPFLAGS="-D_FORTIFY_SOURCE=2" CXXFLAGS="-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security" FFLAGS="-g -O2" LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now" make[2]: Entering directory `/home/simon/packages/openvpn-2.2.1/plugin/down-root' gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -O2 -Wall -D_FORTIFY_SOURCE=2 -fPIC -c -I../.. down-root.c gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -O2 -Wall -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc make[2]: Leaving directory `/home/simon/packages/openvpn-2.2.1/plugin/down-root' I was not able to test the 2 plugins but the only difference with the previous patch is that they are now built with "Immediate binding". According to the hardening wiki the only problem to expect would be a build failure if any. They built without problem so I would think it is safe to have them use "Immediate binding". Regards, Simon
--- openvpn-2.2.1.orig/debian/rules 2012-03-16 05:42:01.000000000 -0400 +++ openvpn-2.2.1/debian/rules 2012-03-22 10:07:44.424021426 -0400 @@ -8,6 +8,7 @@ endif #export DH_VERBOSE=1 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: dh $@
