kill prelink
Itamar Reis Peixoto
itamar at ispbrasil.com.br
Mon Feb 6 19:43:50 UTC 2012
On Mon, Feb 6, 2012 at 5:35 PM, Ricky Zhou <ricky at fedoraproject.org> wrote:
> On 2012-02-06 11:59:53 AM, Bill Nottingham wrote:
>> Stephen John Smoogen (smooge at gmail.com) said:
>> > > > Discussion from irc today pointed out the..... difficulty with our
>> > > > security with prelink running on our systems.
>>
>> Is this a general issue that should be pushed up the stack?
> I think the "difficulty with our security" bit was referring to some
> weirdness which caused issues with the needs-restarting utility.
> However, I do have other reasons for questioning the need for prelink in
> Fedora in general.
>
> My main issue is that with prelink enabled, non-PIE binaries essentially
> have library address randomization disabled (they are still randomized
> every 2 weeks when prelink runs, but the addresses stay the same in
> between). This makes many types of security bugs far easier to exploit
> on Fedora than on distros without prelink.
>
> One argument against this point is that we should just enable PIE on
> apps which are security-sensitive, or which are likely to be exploited.
> While I definitely don't disagree with this point, I think we're very
> far from having that happen, and in addition, doing so would cause us to
> lose many of the speedups that prelink is supposed to give (progams
> which need to handle a lot of potentially untrusted inputs, like
> openoffice, should then have PIE enabled).
>
> With all this in mind, I'd definitely be interested in seeing a
> discussion about whether prelink should stay enabled by default on
> Fedora.
>
> Thanks,
> Ricky
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
also 80% + packages from rpmfusion uses prelink.
--
------------
Itamar Reis Peixoto
msn, google talk: itamar at ispbrasil.com.br
+55 11 4063 5033 (FIXO SP)
+55 34 9158 9329 (TIM)
+55 34 8806 3989 (OI)
+55 34 3221 8599 (FIXO MG)
More information about the infrastructure
mailing list