#47332 389-ds-base package should be built with PIE flags
Closed: Fixed None Opened 6 years ago by nkinder.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953390

Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently 389-ds-base is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

389-ds-base-1.3.0.5-1.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm
Analyzing 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm ...
...
389-ds-base,389-ds-base-1.3.0.5-1.fc19.x86_64.rpm,/usr/sbin/ns-slapd,NX=Enabled
,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,CATEG
ORY=network-ip

Actual results:

/usr/sbin/ns-slapd is not PIE.

Expected results:

/usr/sbin/ns-slapd *should* be PIE.

Possible Fix:

"_hardened_build" rpm spec macro can be used to harden a package.

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...".

Hi Mark,
Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...)
Thanks!!
--noriko

Replying to [comment:4 nhosoi]:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...".

Hi Mark,
Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...)
Thanks!!
--noriko

Yes, it looks like it is needed, so I added it. Thanks!

389-ds-base:

commit f5b17abc3740571ead6a3423a56e55523bce62b3

git push origin master
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 483 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
8f86104..f5b17ab master -> master

git push origin f19
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 529 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
22deb41..236cbb5 f19 -> f19

git push origin f18
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 529 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
c782705..decdcd7 f18 -> f18

git push origin f17
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 522 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
3e72dbd..df87321 f17 -> f17

Admin Server:

50e0b732c3f529a1c28a53a66094522e832b4331

git push origin master
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 430 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-admin
39a4c29..50e0b73 master -> master

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.1.1

2 years ago

Login to comment on this ticket.

Metadata