packaging guidelines again
Reindl Harald
h.reindl at thelounge.net
Wed Sep 25 20:16:18 UTC 2013
oh, and in fact there are *a lot of more* processes
typically running as long living process directly after
login which should be hardened too
may i suggest Fedora ban "prelink" which is always
the excuse and harden the complete distribution
at least on x86_64 the performance impact is outside generic
benchmarks not existing and so i should be *mandatory* to have
*any* x86_64 package as hardened build and the start time
must not be an argument - how often do people start applications
after a *cold and uncached* boot?!
especially processes like X *running as root* MUST NOT
be "No PIE" and are a clear violation of guidelines
[root at srv-rhsoft:~]$ checksec --proc-all | grep "No PIE"
/usr/sbin/smoke 3353 Partial RELRO Canary found NX enabled No PIE
login 4411 Partial RELRO Canary found NX enabled No PIE
bash 4492 Partial RELRO Canary found NX enabled No PIE
alsactl 637 Partial RELRO Canary found NX enabled No PIE
startkde 6566 Partial RELRO Canary found NX enabled No PIE
mdadm 657 Partial RELRO Canary found NX enabled No PIE
start_kdeinit 6644 Partial RELRO Canary found NX enabled No PIE
kdeinit4 6645 Partial RELRO Canary found NX enabled No PIE
klauncher 6675 Partial RELRO Canary found NX enabled No PIE
kded4 6677 Partial RELRO Canary found NX enabled No PIE
gam_server 6679 Partial RELRO Canary found NX enabled No PIE
kglobalaccel 6693 Partial RELRO Canary found NX enabled No PIE
kwrapper4 6697 Partial RELRO Canary found NX enabled No PIE
ksmserver 6698 Partial RELRO Canary found NX enabled No PIE
kwin 6700 Partial RELRO No canary found NX enabled No PIE
kactivitymanage 6703 Partial RELRO Canary found NX enabled No PIE
krunner 6713 Partial RELRO Canary found NX enabled No PIE
plasma-desktop 6715 Partial RELRO Canary found NX enabled No PIE
lancelot 6726 Partial RELRO No canary found NX enabled No PIE
upowerd 673 Partial RELRO Canary found NX enabled No PIE
akonadi_control 6730 Partial RELRO No canary found NX enabled No PIE
akonadiserver 6732 Partial RELRO Canary found NX enabled No PIE
avahi-daemon 674 Partial RELRO Canary found NX enabled No PIE
ksysguardd 6749 Partial RELRO Canary found NX enabled No PIE
kuiserver 6758 Partial RELRO No canary found NX enabled No PIE
kaccess 6765 Partial RELRO Canary found NX enabled No PIE
firefox 6770 Partial RELRO Canary found NX enabled No PIE
rtkit-daemon 679 Partial RELRO Canary found NX enabled No PIE
kopete 6791 Partial RELRO Canary found NX enabled No PIE
konqueror 6793 Partial RELRO Canary found NX enabled No PIE
klipper 6797 Partial RELRO Canary found NX enabled No PIE
kmix 6799 Partial RELRO Canary found NX enabled No PIE
knemo 6801 Partial RELRO Canary found NX enabled No PIE
polkit-kde-auth 6804 Partial RELRO No canary found NX enabled No PIE
gvfsd 6810 Partial RELRO Canary found NX enabled No PIE
knotify4 6811 Partial RELRO No canary found NX enabled No PIE
konqueror 6821 Partial RELRO Canary found NX enabled No PIE
at-spi-bus-laun 6840 Partial RELRO Canary found NX enabled No PIE
kwalletd 6874 Partial RELRO Canary found NX enabled No PIE
ksystraycmd 7020 Partial RELRO No canary found NX enabled No PIE
rdesktop 7022 Partial RELRO Canary found NX enabled No PIE
ksystraycmd 7023 Partial RELRO No canary found NX enabled No PIE
thunderbird 7025 Partial RELRO Canary found NX enabled No PIE
bash 7126 Partial RELRO Canary found NX enabled No PIE
pulseaudio 715 Full RELRO Canary found NX enabled No PIE
X 718 Partial RELRO Canary found NX enabled No PIE
bash 7187 Partial RELRO Canary found NX enabled No PIE
avahi-daemon 728 Partial RELRO Canary found NX enabled No PIE
gvfsd-http 7285 Partial RELRO Canary found NX enabled No PIE
kio_file 7494 Partial RELRO Canary found NX enabled No PIE
kio_thumbnail 7495 Partial RELRO Canary found NX enabled No PIE
Am 16.09.2013 12:15, schrieb Reindl Harald:
> i get somehow tired to report bugs for several packages,
> refresh them at each release because maintainers
> ignore guidelines all the time
>
> some of them responded and fixed their packages
> some insist to ignore them
>
> https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE
>
> If your package meets any of the following criteria you
> MUST enable the PIE compiler flags:
> * Your package is long running
> * Your package runs as root
> ____________________________________________
>
> since there is nobody logged in these are *all* long
> running processes and enough of them even running as
> root and so match *two* reasons for harden them
>
> [root at srv-rhsoft:~]$ checksec --proc-all | grep "No PIE"
> X 21342 Partial RELRO Canary found NX enabled No PIE
> login 26045 Partial RELRO Canary found NX enabled No PIE
> alsactl 642 Partial RELRO Canary found NX enabled No PIE
> mdadm 651 Partial RELRO Canary found NX enabled No PIE
> upowerd 704 Partial RELRO Canary found NX enabled No PIE
> avahi-daemon 705 Partial RELRO Canary found NX enabled No PIE
> rtkit-daemon 718 Partial RELRO Canary found NX enabled No PIE
> pulseaudio 869 Full RELRO Canary found NX enabled No PIE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130925/40a241c9/attachment.sig>
More information about the devel
mailing list