(dump out some ideas of what should be in the list) |
(update and tweak) |
||
| Line 29: | Line 29: | ||
To add these flags, use something like this: | To add these flags, use something like this: | ||
export CFLAGS="%{optflags} - | export CFLAGS="%{optflags} -fPIE" | ||
%configure | %configure | ||
make CFLAGS=$CFLAGS | make CFLAGS=$CFLAGS | ||
FESCo maintains a list of packages that they require to have certain additional compilation flags enabled. See [ | or | ||
export LDFLAGS="$LDFLAGS -pie" | |||
%configure | |||
make LDFLAGS=$LDFLAGS | |||
FESCo maintains a list of packages that they require to have certain additional compilation flags enabled. See [Page TBD] for which packages require which flags. This page will contain: | |||
systemd | systemd | ||
mingetty | mingetty | ||
udevd | udevd | ||
rsyslog | rsyslog | ||
abrtd | abrtd | ||
NetworkManager | NetworkManager | ||
ntpd | ntpd | ||
acpid | acpid | ||
openssh | openssh | ||
gdm | gdm | ||
upowerd | upowerd | ||
sendmail | sendmail | ||
postfix | postfix | ||
exim | exim | ||
== Outstanding questions == | |||
* Should we only enable PIE on 64bit builds? 32bit can be pretty trivially defeated. | |||
* Is the list above good? Should we add all suid and caps packages? | |||
* Should we just make it a suggestion, and leave it up to maintainers? | |||
== references == | == references == | ||
| Line 59: | Line 86: | ||
http://wiki.debian.org/Hardening | http://wiki.debian.org/Hardening | ||
https://wiki.ubuntu.com/Security/Features | |||
https://wiki.ubuntu.com/Security/Features#Built_as_PIE | |||
Revision as of 20:40, 5 July 2011
This page is a draft, please don't follow it until it's no longer a draft
Introduction
PIE (Position Independent Executables) are binaries that are made entirely from position-independent code. This allows for address space layout randomization, increasing security and making some attacks much more difficult.
Advantages
- Binaries are more difficult to attack/compromise.
Disadvantages
- You can no longer use prelink on your binaries, resulting in a slower startup time.
Guideline
All Fedora Packages should use the default Fedora Compilation flags as listed on the http://fedoraproject.org/wiki/Packaging/RPMMacros#Build_flags_macros_and_variables page. Overriding these flags for performance optimizations (for instance, -O3 instead of -O2) is generally discouraged (if you can present benchmarks that show a significant speedup for this particular code, this could be revisited on a case-by-case basis). There are certain, security related flags that are commonly allowed. These flags may degrade performance slightly but the increased security can be worthwhile for some programs.
If you package meets the following critera you can enable the PIE compiler flags:
- Your package is long running. This means it's likely to be started and keep running until the machine is rebooted, not start on demand and quit on idle.
- Your package has suid binaries, or binaries with capabilities.
- Your package runs as root.
- Your package accepts/processes untrusted input.
To add these flags, use something like this:
export CFLAGS="%{optflags} -fPIE" %configure make CFLAGS=$CFLAGS
or
export LDFLAGS="$LDFLAGS -pie" %configure make LDFLAGS=$LDFLAGS
FESCo maintains a list of packages that they require to have certain additional compilation flags enabled. See [Page TBD] for which packages require which flags. This page will contain:
systemd
mingetty
udevd
rsyslog
abrtd
NetworkManager
ntpd
acpid
openssh
gdm
upowerd
sendmail
postfix
exim
Outstanding questions
- Should we only enable PIE on 64bit builds? 32bit can be pretty trivially defeated.
- Is the list above good? Should we add all suid and caps packages?
- Should we just make it a suggestion, and leave it up to maintainers?
references
http://en.wikipedia.org/wiki/Position-independent_code
https://fedorahosted.org/fesco/ticket/563
https://fedorahosted.org/fpc/ticket/93
http://wiki.debian.org/Hardening