I brought this topic up the other day and only got a single response (thanks to Aaron Walker :-) ) on the subject. At the end of this email is my original question and the response that I received.
> Hello people , > > This pops up after emerging xorg-6.8.1.901 , xorg-6.8.1.902 , and > probably others , but I am sure only about these two. > > QA Notice: /usr/X11R6/bin/Xorg is setXid, dynamically linked and using > lazy bindings. > This combination is generally discouraged. Try: LDFLAGS='-Wl,-z,now' > emerge xorg-x11 > > What does this mean ? Should I put LDFLAGS='-Wl,-z,now' > in /etc/make.conf ( don't want to type it every time ) ? And if this > LDFLAGS are good , why not make the ebuild set them , or at least tell > me BEFORE everything is compiled and installed. > > > > -- > Thanks, > Ivan Yosifov. > > --------------------------------------------------------------------------- > From: > Tres Melton > <[EMAIL PROTECTED]> > To: > [EMAIL PROTECTED] > Subject: > Per package environment > variables > Date: > Mon, 03 Jan 2005 05:18:14 -0700 > > While emerging something I received the following message: > > QA Notice: /usr/bin/sudo is setXid, dynamically linked and > using lazy > bindings. This combination is generally discouraged. Try: > LDFLAGS='-Wl,-z,now' emerge sudo > > My questions are: > 1) Is there a USE variable that enables safe linking of > SUID > packages > automatically? > 2) Is there a file like /etc/portage/package.env-var > where > environment > variables can be set (or appended to) on a per-package basis? > The > suggestion given above is not remembered anymore than setting > a USE flag > on the command line is. It is also somewhat flawed when > emerging the > world and I don't want those link flags applied to every > package that > needs updating in my world, just the ones that will be > installed SUID. > 3) Is there a list of packages somewhere that should be > linked in > this > manner? If I'm working on the computer then I can change over > to the > terminal doing the emerge and restart it with the safe link > flags but > most of the time I never notice. > 4) Is there someway to search the emerge logs for either > the notice > above or for the lazy link flags and then cross reference them > with > every SUID program that has been installed? > > Thanks in advance. :-) > > -- > Tres Melton > [EMAIL PROTECTED] > > ----------------------------------------------------------------------------- > From: > Aaron Walker > <[EMAIL PROTECTED]> > To: > [EMAIL PROTECTED] > Subject: > Re: [gentoo-user] Per package > environment variables > Date: > Tue, 04 Jan 2005 04:24:58 -0500 > (02:24 MST) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tres Melton wrote: > | While emerging something I received the following message: > | > | QA Notice: /usr/bin/sudo is setXid, dynamically linked and > using lazy > | bindings. This combination is generally discouraged. Try: > | LDFLAGS='-Wl,-z,now' emerge sudo > | > | My questions are: > | 1) Is there a USE variable that enables safe linking of > SUID > | packages > | automatically? > > No (see bottom for explanation). > > | 2) Is there a file like /etc/portage/package.env-var > where > | environment > | variables can be set (or appended to) on a per-package > basis? The > | suggestion given above is not remembered anymore than > setting a USE flag > | on the command line is. It is also somewhat flawed when > emerging the > | world and I don't want those link flags applied to every > package that > | needs updating in my world, just the ones that will be > installed SUID. > > I vaguely remember someone hacking something together to do > this. You might > try browsing through the gentoo-dev ML archives. I know that > this has been > discussed before. > > | 3) Is there a list of packages somewhere that should be > linked in > | this > | manner? If I'm working on the computer then I can change > over to the > | terminal doing the emerge and restart it with the safe link > flags but > | most of the time I never notice. > > No. > > | 4) Is there someway to search the emerge logs for > either the notice > | above or for the lazy link flags and then cross reference > them with > | every SUID program that has been installed? > > The only way this would be possible, would be to set > PORT_LOGDIR and then maybe > setup a cron job to grep the logs. Maybe something like > > grep -r setXid ${PORT_LOGDIR} > > and of course replace PORT_LOGDIR with the appropriate > directory. > > All that said, it's not the user's responsibility to set > LDFLAGS to solve the > lazy binding issue. This is something that should be done in > the ebuild (via > the append-ldflags function from flag-o-matic.eclass). When > finding an ebuild > that doesn't, the proper course of action would be to submit a > bug at > http://bugs.gentoo.org/. > > Cheers > - -- > When we talk of tomorrow, the gods laugh. > > Aaron Walker < > [EMAIL PROTECTED] > http://dev.gentoo.org/~ka0ttic/ > Gentoo/BSD | cron | > shell-tools http://butsugenjitemple.org/~ka0ttic/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (GNU/Linux) > > iD8DBQFB2mDqC3poscuANHARAkNFAKC7BF0633a3ygsFlkXx9KpV8srNgQCfZBNy > P3/mPpXA48CBB3B2lO6cI2c= > =pWxA > -----END PGP SIGNATURE----- > > Those messages are scattered throughout the system in many places but I haven't taken the time to file bug reports as suggested because the only other person that uses my computer locally is my girlfriend and I have to keep telling her not to install Micro$oft plug-ins into Mozilla because that is what keeps blowing up her desktop. (And she wonders why I will not give her my passwords for the machine!) She is not someone capable of creating an exploit for that vulnerability, or any other one. -- cheers, boater -- gentoo-user@gentoo.org mailing list