Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 May 2011 00:45:23 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple libraries privilege checking

On Tue, May 17, 2011 at 01:18:33PM +0200, Sebastian Krahmer wrote:
> I uploaded a openssl-1.0.0d patch to
> 
> http://suse.de/~krahmer/libs-vs-fscaps

Thank you!

> The prefered way is to check the dumpable flag via prctl() which
> is detected by the config script.

This is fail-open (at build time).  If the -e "/usr/include/sys/prctl.h"
check somehow fails, we silently get an insecure build.  Of course,
risks of this nature are extremely common, but we're trying to deal with
them.  In our package of rpm, we have the configure-presets script,
which looks like:

#!/bin/sh
# These autoconf variables are predefined to harden configure checks for
# security sensitive functions, and to speedup configure checks for
# most popular functions.
export ac_cv_func_alloca=yes
export ac_cv_func_asprintf=yes
export ac_cv_func_atexit=yes
export ac_cv_func_bcopy=yes
export ac_cv_func_dcgettext=yes
export ac_cv_func_fchdir=yes
...
export ac_cv_func_utimes=yes
export ac_cv_func_vasprintf=yes
export ac_cv_func_vfork=yes
export ac_cv_func_vprintf=yes
export ac_cv_func_vsnprintf=yes
export ac_cv_func_waitpid=yes
export ac_cv_func_wcslen=yes
export ac_cv_func_wcwidth=yes

This script is sourced in our %___build_pre macro.

Maybe you should simply drop the -e "/usr/include/sys/prctl.h" check,
leaving only the $target =~ /^linux/i check?

Thanks again,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.