Please, use secure build settings! TIA!
Example of bad:
~ # checksec file /usr/lib64/libreoffice/program/soffice.bin _____ _ _ ______ _____ _ __ _____ ______ _____ / ____| | | | ____/ ____| |/ // ____| ____/ ____| | | | |__| | |__ | | | ' /| (___ | |__ | | | | | __ | __|| | | < \___ \| __|| | | |____| | | | |___| |____| . \ ____) | |___| |____ \_____|_| |_|______\_____|_|\_\_____/|______\_____| RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name Partial RELRO No Canary Found NX enabled PIE Disabled No RPATH RUNPATH No Symbols No 0 0 /usr/lib64/libreoffice/program/soffice.bin
~ # checksec file /usr/bin/java Warning: Dynamic Binary found but missing libc. Fortify results will be skipped _____ _ _ ______ _____ _ __ _____ ______ _____ / ____| | | | ____/ ____| |/ // ____| ____/ ____| | | | |__| | |__ | | | ' /| (___ | |__ | | | | | __ | __|| | | < \___ \| __|| | | |____| | | | |___| |____| . \ ____) | |___| |____ \_____|_| |_|______\_____|_|\_\_____/|______\_____| RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name Full RELRO No Canary Found NX enabled PIE Enabled RPATH No RUNPATH No Symbols N/A 0 0 /usr/bin/java
~ # checksec file /usr/bin/thunar _____ _ _ ______ _____ _ __ _____ ______ _____ / ____| | | | ____/ ____| |/ // ____| ____/ ____| | | | |__| | |__ | | | ' /| (___ | |__ | | | | | __ | __|| | | < \___ \| __|| | | |____| | | | |___| |____| . \ ____) | |___| |____ \_____|_| |_|______\_____|_|\_\_____/|______\_____| RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name Full RELRO Canary Found NX enabled PIE Enabled No RPATH No RUNPATH 5035 symbols Yes 1 3 /usr/bin/thunar
Example of good:
~ # checksec file /usr/lib64/firefox/firefox-bin _____ _ _ ______ _____ _ __ _____ ______ _____ / ____| | | | ____/ ____| |/ // ____| ____/ ____| | | | |__| | |__ | | | ' /| (___ | |__ | | | | | __ | __|| | | < \___ \| __|| | | |____| | | | |___| |____| . \ ____) | |___| |____ \_____|_| |_|______\_____|_|\_\_____/|______\_____| RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name Full RELRO Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols Yes 5 11 /usr/lib64/firefox/firefox-bin
~ # checksec file /usr/sbin/updatedb _____ _ _ ______ _____ _ __ _____ ______ _____ / ____| | | | ____/ ____| |/ // ____| ____/ ____| | | | |__| | |__ | | | ' /| (___ | |__ | | | | | __ | __|| | | < \___ \| __|| | | |____| | | | |___| |____| . \ ____) | |___| |____ \_____|_| |_|______\_____|_|\_\_____/|______\_____| RELRO Stack Canary NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable Name Full RELRO Canary Found NX enabled PIE Enabled No RPATH No RUNPATH No Symbols Yes 3 6 /usr/sbin/updatedb
"no canary found" can happen if the binary is small and has no utilized functions.
we build all packages with -fstack-protector-strong
partial relro ... needs to be investigated why.
not sure what you see wrong with thunar.
Thank you!
partial relro ... needs to be investigated why. but we enforce RELRO for all builds , packages must disable it explicitly.
but we enforce RELRO for all builds , packages must disable it explicitly.
I have done checksec on quite some files. There are more than just a few packages that show "Partial RELRO".
checksec
Not a major issue! It shows "5035 symbols". Probably this is for debugging purpose and not needed on a conventional productive system. (I also have quite some packages showing this issue.)
Marking as resolved. Please re-open this or create individual issues if needed.
Metadata Update from @lkocman: - Issue close_status updated to: Completed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.