> On 30 March 2018 at 15:08 "A. Schulze" <s...@andreasschulze.de> wrote: > > > Hello, > > to build + packages dovecot I use the usual Debian tool chain. That includes > build with selected GCC options and running lintian. > > I notice since a long time (read: many earlier versions, up to 2.2.35) this > lintian warnings: > > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/auth > N: > N: This package provides an ELF binary that lacks the use of fortified libc > N: functions. Either there are no potentially unfortified functions called > N: by any routines, all unfortified calls have already been fully validated > N: at compile-time, or the package was not built with the default Debian > N: compiler flags defined by dpkg-buildflags. If built using > N: dpkg-buildflags directly, be sure to import CPPFLAGS. > N: > N: NB: Due to false-positives, Lintian ignores some unprotected functions > N: (e.g. memcpy). > N: > N: Refer to https://wiki.debian.org/Hardening and > N: https://bugs.debian.org/673112 for details. > N: > N: Severity: normal, Certainty: wild-guess > N: > N: Check: binaries, Type: binary, udeb > N: > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/config > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/director > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/gdbhelper > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/imap > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/libdovecot-login.so.0.0.0 > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/libdovecot-storage.so.0.0.0 > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/modules/lib10_quota_plugin.so > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/modules/lib20_fts_plugin.so > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/modules/lib20_replication_plugin.so > I: dovecot-core: hardening-no-fortify-functions > usr/lib/dovecot/modules/lib99_welcome_plugin.so > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/quota-status > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/script-login > I: dovecot-core: hardening-no-fortify-functions usr/lib/dovecot/xml2text > > As you may note, not all binaries are affected. doveadm, doveconf or dovecot > aren't for example. > > My (simplyfied) debian/rules: > #!/usr/bin/make -f > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > DPKG_EXPORT_BUILDFLAGS = 1 > include /usr/share/dpkg/buildflags.mk > > include /usr/share/cdbs/1/rules/debhelper.mk > include /usr/share/cdbs/1/class/autotools.mk > > DEB_DH_STRIP_ARGS = --dbg-package=dovecot-core-dbg > > This result in that call to configure: > > CFLAGS="-g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong > -Wformat -Werror=format-security" CXXFLAGS="-g -O2 > -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat > -Werror=format-security" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2" > LDFLAGS="-Wl,-z,relro -Wl,-z,now" /<<PKGBUILDDIR>>/./configure > --build=x86_64-linux-gnu --prefix=/usr --includedir="\${prefix}/include" > --mandir="\${prefix}/share/man" --infodir="\${prefix}/share/info" > --sysconfdir=/etc --localstatedir=/var --libexecdir="\${prefix}/lib/dovecot" > --srcdir=. --disable-maintainer-mode --disable-dependency-tracking > --disable-silent-rules --libexecdir=/usr/lib --localstatedir=/var > --with-statedir=/var/lib/dovecot --with-moduledir=/usr/lib/dovecot/modules > --without-docs > > I may provide a full build log if that would be helpful. > To me that looks like not all binaries are build with same CFLAGS / CXXFLAGS > / CPPFLAGS / LDFLAGS > > Andreas
Hi! Dovecot 2.3 has hardening enabled. Aki
