Re: [PATCH] PIE support
Justin Erenkrantz wrote: --On Friday, January 21, 2005 2:46 PM + Joe Orton <[EMAIL PROTECTED]> wrote: Modern versions of GCC/binutils/... support flags which allow building "Position Independent Executables". This a Security Feature (TM) which means that executables can be loaded at non-fixed locations, making it harder to write some types of exploit. ... Any objections for committing to the trunk? I'm fine with it in trunk, but I'd be against a 2.0 backport... -- justin What is the reason against a backport? As far as I know (Joe please correct me if I am wrong) it is already used for the Apache 2.0.x delivered with Red Hat AS 3.0 Upgrade 3 (and maybe Fedora???). So there is actually some test base for running Apache compiled with this option. I was also able to compile my own Apache and run it successfully on Red Hat AS 3.0 with this compiler option enabled. As the patch does not seem to make --enable-pie a default and this option only works on systems which have a supporting gcc installed I do not understand why it should not be backported. Regards RÃdiger
Calling for LDAP testers
Hi all, The APR(-util) 1.1.x branch is now at RC1, and a number of LDAP build fixes for SSL/TLS uspport for Solaris v2.8 and v2.9 and Novell have been committed to the v1.1.x branch. The SSL support in the Microsoft LDAP SDK still needs to be tested, as well as on other unix platforms. httpd trunk with the APR v1.1.x latest branch should compile and work with SSL/TLS and client certs (on condition the LDAP toolkit supports it), it would be useful to get some testing in before APR v1.1.0 goes final. It would also be cool if people could give feedback on the LDAP documentation to see if it makes sense to anybody. Any takers? Regards, Graham -- smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] PIE support
I'm wondering - we already have a pretty massive list of odds-n-ends option flags... does it make sense to; 1. make this default for GCC builds? 2. document how to use LDFLAGS/CFLAG to accomplish the same? It seems the mechanism already exists and proliferating flags gets a bit nutty. If we accept 1. above, then a flag to disable this feature seems sane. If we don't, it seems that libtool would be an even better place to teach "build PIE always" for those concerned with the possible security benefits. Bill At 12:52 PM 1/21/2005, Justin Erenkrantz wrote: >--On Friday, January 21, 2005 2:46 PM + Joe Orton <[EMAIL PROTECTED]> >wrote: > >>Modern versions of GCC/binutils/... support flags which allow building >>"Position Independent Executables". This a Security Feature (TM) which >>means that executables can be loaded at non-fixed locations, making it >>harder to write some types of exploit. >... >>Any objections for committing to the trunk? > >I'm fine with it in trunk, but I'd be against a 2.0 backport... -- justin >
Re: [PATCH] PIE support
--On Friday, January 21, 2005 2:46 PM + Joe Orton <[EMAIL PROTECTED]> wrote: Modern versions of GCC/binutils/... support flags which allow building "Position Independent Executables". This a Security Feature (TM) which means that executables can be loaded at non-fixed locations, making it harder to write some types of exploit. ... Any objections for committing to the trunk? I'm fine with it in trunk, but I'd be against a 2.0 backport... -- justin
[PATCH] PIE support
Modern versions of GCC/binutils/... support flags which allow building "Position Independent Executables". This a Security Feature (TM) which means that executables can be loaded at non-fixed locations, making it harder to write some types of exploit. It's slightly awkward to build httpd like this, since the compiler flag -fPIE must only be used when compiling an object which will not be linked into a shared object i.e. libapr or any DSO. Below is a patch which threads the flags into the right places and adds a configure flag "--enable-pie" to turn it all on. (it's an optional feature since PIE binaries confuse some debuggers so you don't necessarily want it on-by-default even if the toolchain supports the flags) Any objections for committing to the trunk? Index: configure.in === --- configure.in(revision 125927) +++ configure.in(working copy) @@ -394,6 +394,29 @@ APR_ADDTO(CPPFLAGS, -DAP_DEBUG) ])dnl +dnl Conditionally enable PIE support for GNU toolchains. +AC_ARG_ENABLE(pie,APACHE_HELP_STRING(--enable-pie,Build httpd as a Position Independent Executable)) +if test "$enable_pie" = "yes"; then + AC_CACHE_CHECK([whether $CC accepts PIE flags], [ap_cv_cc_pie], [ + save_CFLAGS=$CFLAGS + save_LDFLAGS=$LDFLAGS + CFLAGS="$CFLAGS -fPIE" + LDFLAGS="$LDFLAGS -pie" + AC_TRY_RUN([static int foo[3]; int main () { return 0; }], + [ap_cv_cc_pie=yes], [ap_cv_cc_pie=no], [ap_cv_cc_pie=yes]) + CFLAGS=$save_CFLAGS + LDFLAGS=$save_LDFLAGS + ]) + if test "$ap_cv_cc_pie" = "yes"; then + PICFLAGS="-fPIE" + PILDFLAGS="-pie" + else + AC_ERROR([--enable-pie requested but $CC failed using PIE flags]) + fi +fi +AC_SUBST(PICFLAGS) +AC_SUBST(PILDFLAGS) + prefix="$orig_prefix" APACHE_ENABLE_MODULES Index: build/rules.mk.in === --- build/rules.mk.in (revision 125927) +++ build/rules.mk.in (working copy) @@ -31,18 +31,21 @@ # Compile commands -COMPILE = $(CC) $(ALL_CFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES) -CXX_COMPILE = $(CXX) $(ALL_CXXFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES) +BASE_CC = $(CC) $(ALL_CFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES) +BASE_CXX = $(CXX) $(ALL_CXXFLAGS) $(ALL_CPPFLAGS) $(ALL_INCLUDES) -SH_COMPILE = $(LIBTOOL) --mode=compile $(COMPILE) @SHLTCFLAGS@ -c $< && touch $@ -SH_CXX_COMPILE = $(LIBTOOL) --mode=compile $(CXX_COMPILE) @SHLTCFLAGS@ -c $< && touch $@ +COMPILE = $(BASE_CC) @PICFLAGS@ +CXX_COMPILE = $(BASE_CXX) @PICFLAGS@ +SH_COMPILE = $(LIBTOOL) --mode=compile $(BASE_CC) @SHLTCFLAGS@ -c $< && touch $@ +SH_CXX_COMPILE = $(LIBTOOL) --mode=compile $(BASE_CXX) @SHLTCFLAGS@ -c $< && touch $@ + LT_COMPILE = $(LIBTOOL) --mode=compile $(COMPILE) @LTCFLAGS@ -c $< && touch $@ LT_CXX_COMPILE = $(LIBTOOL) --mode=compile $(CXX_COMPILE) @LTCFLAGS@ -c $< && touch $@ # Link-related commands -LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) $(LT_LDFLAGS) $(ALL_LDFLAGS) -o $@ +LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) @PILDFLAGS@ $(LT_LDFLAGS) $(ALL_LDFLAGS) -o $@ SH_LINK = $(SH_LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) $(LT_LDFLAGS) $(ALL_LDFLAGS) $(SH_LDFLAGS) $(CORE_IMPLIB) $(SH_LIBS) -o $@ MOD_LINK = $(LIBTOOL) --mode=link $(CC) $(ALL_CFLAGS) -static $(LT_LDFLAGS) $(ALL_LDFLAGS) -o $@