-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Feb 20, 2012 at 04:55:45PM -0500, Ted Ts'o wrote:
> I believe I do need to do the check, because if the *FLAGS are set
> (even if they are set to the empty string), they will override what
> dpkg-buildpackage sets on Ubuntu obsolete systems (per corporate
> security dictats, I'm forced to run Ubuntu 10.04 LTS on my laptop).
>
> That's why if dpkg-buildflags isn't available, I'm explicitly setting
> CFLAGS and LDFLAGS to what was the default on older versions of dpkg.
You could always append to the flags:
CFLAGS += `dpkg-buildflags ...`
...
But the check is fine as well.
>> Btw. I think there's one problem with the current debian/rules:
>> If dpkg-buildflags is found and used then
>> -Wl,-Bsymbolic-functions is missing from LDFLAGS, I'm not sure if
>> this was intended.
>
> Yes, that was the default from Ubuntu 10.04. But if dpkg-buildflags
> is going to supply something else, we'll use whatever the distro
> defaults are. If I understand things correctly, even Debian
> obsolete^H^H^H^H^H^H^H stable supports dpkg-buildflags so this is
> really only something needed to support Ubuntu LTS.
Yes, that should work fine.
On Mon, Feb 20, 2012 at 05:02:10PM -0500, Ted Ts'o wrote:
> OK, so, this is considered an acceptable result?
>
> <ty...@tytso-glaptop.cam.corp.google.com> {/kbuild/debian/e2fsprogs-1.42.1}
> 530% hardening-check debian/BUILD-STD/e2fsck/e2fsck
> debian/BUILD-STD/e2fsck/e2fsck:
> Position Independent Executable: no, normal executable!
> Stack protected: yes
> Fortify Source functions: yes (some protected functions found)
> Read-only relocations: yes
> Immediate binding: no not found!
>
> i.e., it's ok for the purposes of the hardening effort for the
> executable to not be PIE, and not to have immediate binding enabled?
Yes, this looks good. PIE and Immediate binding is used for
programs which read untrusted data (like a web server, image
viewer, etc.) or run with elevated privileges and thus are
especially exposed.
For an administration tool this is not necessary - and especially
PIE can cause performance penalties on non amd64 systems.
For more information about hardening on Debian have a look at [1]
and [2].
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/Hardening
- --
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJPQs2zAAoJEJL+/bfkTDL5B38QALegh7VeuPZo8J4G0uO3crry
QYMKWgqu05JK+XNC42IEj5uVa4bWJRmUyk28jLkSPOfvLC7+IPP/XkZFSgRHcJr4
hj9K2dF3ndwvdh7OEuw7gGBCuntcDfcUU+bm6KhLbNwCR+rqRU7kbuvMx+YPuE16
QGbR78hwiTben7PYrkCnpmjMspKoOOBBcrfd+McrrVpCap8AoRHYU/uIhsmOATxZ
0E0my3UVvMLTETjB0x4kmd0MfhuNzZYYm0Qr4R0JHWCD0W04HzUPOZ4XiwYpLrmJ
Ft7rgFqI2ugZ8cgspEYgypB4ZhazPIW1YrHDIMqMDQtfgcyKqWlkrc3mTO2RPTNj
j8LWbuaeP4LnEduEF1p3e02D/VEaGceFAn/PkRryRTXvVcrL0SU+PzHE7mkOyFQr
9+998mM9Q7o4GJpwFz5+ZkgYbUqQVQurnkHUXESkY3RzjVQ+ocvPYpbH3/SlGvJd
idpWkHVxYp4FxzV6nZI7PZEl2FNatGc5OQCM1ad/n5lbjADpq+Wz3cwi4pc/7c7B
vsFTSBYHQW9GelmxcgfrChr4/0LJNCKSsU8xcrEk8QnX9NljgjD0pLWJFC4guiGv
3iOXqXz1OukHLm5Cd79jLSvqjTdj9A9C0PWu/pL03tQ4F3RybXODlUq3aIdwBk31
whnoN+VWbmtjLN4vjMrQ
=FIAL
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
