#210 use secure build settings
Closed: Completed 2 weeks ago by lkocman. Opened a month ago by C7NhtpnK.

Please, use secure build settings! TIA!

Example of bad:

~ # checksec file /usr/lib64/libreoffice/program/soffice.bin

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO           Stack Canary      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY    Fortified   Fortifiable      Name                            
Partial RELRO   No Canary Found   NX enabled    PIE Disabled    No RPATH   RUNPATH      No Symbols      No         0           0                /usr/lib64/libreoffice/program/soffice.bin
~ # checksec file /usr/bin/java
Warning: Dynamic Binary found but missing libc. Fortify results will be skipped

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO           Stack Canary      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY    Fortified   Fortifiable      Name                            
Full RELRO      No Canary Found   NX enabled    PIE Enabled     RPATH      No RUNPATH   No Symbols      N/A         0           0                /usr/bin/java                   
~ # checksec file /usr/bin/thunar

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO           Stack Canary      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY    Fortified   Fortifiable      Name                            
Full RELRO      Canary Found      NX enabled    PIE Enabled     No RPATH   No RUNPATH   5035 symbols    Yes        1           3                /usr/bin/thunar                 

Example of good:

~ # checksec file /usr/lib64/firefox/firefox-bin

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO           Stack Canary      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY    Fortified   Fortifiable      Name                            
Full RELRO      Canary Found      NX enabled    PIE Enabled     No RPATH   No RUNPATH   No Symbols      Yes        5           11               /usr/lib64/firefox/firefox-bin  
~ # checksec file /usr/sbin/updatedb

  _____ _    _ ______ _____ _  __ _____ ______ _____
 / ____| |  | |  ____/ ____| |/ // ____|  ____/ ____|
| |    | |__| | |__ | |    | ' /| (___ | |__ | |
| |    |  __  |  __|| |    |  <  \___ \|  __|| |
| |____| |  | | |___| |____| . \ ____) | |___| |____
 \_____|_|  |_|______\_____|_|\_\_____/|______\_____|

RELRO           Stack Canary      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY    Fortified   Fortifiable      Name                            
Full RELRO      Canary Found      NX enabled    PIE Enabled     No RPATH   No RUNPATH   No Symbols      Yes        3           6                /usr/sbin/updatedb              

"no canary found" can happen if the binary is small and has no utilized functions.

we build all packages with -fstack-protector-strong

partial relro ... needs to be investigated why.

  • but we enforce RELRO for all builds , packages must disable it explicitly.

not sure what you see wrong with thunar.

"no canary found" can happen if the binary is small and has no utilized functions.

Thank you!

we build all packages with -fstack-protector-strong

Thank you!

partial relro ... needs to be investigated why.

but we enforce RELRO for all builds , packages must disable it explicitly.

I have done checksec on quite some files. There are more than just a few packages that show "Partial RELRO".

not sure what you see wrong with thunar.

Not a major issue! It shows "5035 symbols". Probably this is for debugging purpose and not needed on a conventional productive system. (I also have quite some packages showing this issue.)

Marking as resolved. Please re-open this or create individual issues if needed.

Metadata Update from @lkocman:
- Issue close_status updated to: Completed
- Issue status updated to: Closed (was: Open)

2 weeks ago

Log in to comment on this ticket.

Metadata