Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Nov 2011 20:13:58 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: %optflags for new gcc

On Sat, Nov 05, 2011 at 07:21:24PM +0400, Solar Designer wrote:
> "Recent Linux distris have partial RELRO enabled by default (e.g. Ubuntu
> 8.10 and openSUSE 11.1). There is therefore no difference between "gcc
> testcase.c" and "gcc -Wl,-z,relro testcase.c" on these platforms."
> 
> To me, it seems to imply that they patched gcc or binutils to make
> "-z relro" the default.  Perhaps we need to do the same?  (For now, I
> added -Wl,-z,relro to our %optflags*.)

In Sisyphus, I changed gcc LINK_COMMAND_SPEC to pass -z relro to the
linker by default.  That was more than 3 years ago.

> And it's a curious comment that "some vendors have patched the gcc to
> make this option default" (regarding -fstack-protector).  Do you know
> any examples?  Maybe Ubuntu (just a guess)?

In Sisyphus, I changed gcc spec to use -D_FORTIFY_SOURCE=2 and
-fstack-protector by default.  That was more than 5 years ago.
There were some workarounds made in several packages, but
I don't remember any details.


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ