https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE If your package meets any of the following criteria you MUST enable the PIE compiler flags: * Your package is long running * Your package runs as root ________________________________________________ i do not find a "kde" package including all subpackages so no better idea as file it against baseapps i consider KDE als long running application because usually you login in the morning, start your work and most kde processes are running until you logout - in case of 24/7 machines even for days ________________________________________________ as you can see most processes (after a lot of bugreports, one of them resulting in kdm hardened because it runs without a user-session and some outstanding but reported for non-kde-packages like firefox/thunderbird) are in the meantime hardened (output of checksec --proc-all) COMMAND PID RELRO STACK CANARY NX/PaX PIE systemd 1 Full RELRO Canary found NX enabled PIE enabled kdm 1014 Full RELRO Canary found NX enabled PIE enabled pure-ftpd 1031 Full RELRO Canary found NX enabled PIE enabled colord 1051 Full RELRO Canary found NX enabled PIE enabled fping 10889 Full RELRO Canary found NX enabled PIE enabled konsole 12313 Partial RELRO Canary found NX enabled No PIE ssh 12500 Full RELRO Canary found NX enabled PIE enabled ssh 12766 Full RELRO Canary found NX enabled PIE enabled alltray 12769 Partial RELRO Canary found NX enabled No PIE ssh 12868 Full RELRO Canary found NX enabled PIE enabled sshd 12869 Full RELRO Canary found NX enabled PIE enabled httpd 13248 Full RELRO Canary found NX enabled PIE enabled ksystraycmd 13672 Partial RELRO Canary found NX enabled No PIE ssh 13753 Full RELRO Canary found NX enabled PIE enabled httpd 14300 Full RELRO Canary found NX enabled PIE enabled httpd 14301 Full RELRO Canary found NX enabled PIE enabled ssh 14535 Full RELRO Canary found NX enabled PIE enabled sshd 14536 Full RELRO Canary found NX enabled PIE enabled httpd 14833 Full RELRO Canary found NX enabled PIE enabled httpd 14834 Full RELRO Canary found NX enabled PIE enabled httpd 14835 Full RELRO Canary found NX enabled PIE enabled httpd 14836 Full RELRO Canary found NX enabled PIE enabled httpd 14946 Full RELRO Canary found NX enabled PIE enabled httpd 14949 Full RELRO Canary found NX enabled PIE enabled httpd 14950 Full RELRO Canary found NX enabled PIE enabled gvfsd-http 28082 Partial RELRO Canary found NX enabled No PIE dhclient 3957 Full RELRO Canary found NX enabled PIE enabled rsyslogd 4015 Full RELRO Canary found NX enabled PIE enabled dbmail-timsieve 4017 Full RELRO Canary found NX enabled PIE enabled monitor-httpd.p 4020 Full RELRO Canary found NX enabled PIE enabled dbmail-lmtpd 4022 Full RELRO Canary found NX enabled PIE enabled dbmail-imapd 4030 Full RELRO Canary found NX enabled PIE enabled dovecot 4031 Full RELRO Canary found NX enabled PIE enabled sshd 4033 Full RELRO Canary found NX enabled PIE enabled mpd 4034 Full RELRO Canary found NX enabled PIE enabled apcupsd 4041 Full RELRO Canary found NX enabled PIE enabled vmware-usbarbit 4075 Full RELRO Canary found NX enabled No PIE systemd 4083 Full RELRO Canary found NX enabled PIE enabled (sd-pam) 4092 Full RELRO Canary found NX enabled PIE enabled vmnet-bridge 4098 Full RELRO Canary found NX enabled PIE enabled vmnet-bridge 4104 Full RELRO Canary found NX enabled PIE enabled dhcpd 4123 Full RELRO Canary found NX enabled PIE enabled openvpn 4130 Full RELRO Canary found NX enabled PIE enabled dhcpd 4132 Full RELRO Canary found NX enabled PIE enabled ntpd 4135 Full RELRO Canary found NX enabled PIE enabled hostapd 4141 Full RELRO Canary found NX enabled PIE enabled vmware-authdlau 4164 Full RELRO Canary found NX enabled PIE enabled mediatomb 4202 Full RELRO Canary found NX enabled PIE enabled imap-login 4282 Full RELRO Canary found NX enabled PIE enabled anvil 4283 Full RELRO Canary found NX enabled PIE enabled log 4284 Full RELRO Canary found NX enabled PIE enabled config 4286 Full RELRO Canary found NX enabled PIE enabled vmnet-natd 4323 Full RELRO Canary found NX enabled No PIE vmnet-netifup 4325 Full RELRO Canary found NX enabled PIE enabled vmnet-dhcpd 4332 Full RELRO Canary found NX enabled PIE enabled master 4372 Full RELRO Canary found NX enabled PIE enabled qmgr 4374 Full RELRO Canary found NX enabled PIE enabled proxymap 4375 Full RELRO Canary found NX enabled PIE enabled smbd 4382 Full RELRO Canary found NX enabled PIE enabled smbd 4399 Full RELRO Canary found NX enabled PIE enabled systemd-journal 495 Full RELRO Canary found NX enabled PIE enabled systemd-udevd 519 Full RELRO Canary found NX enabled PIE enabled named 6205 Full RELRO Canary found NX enabled PIE enabled hostapd 6207 Full RELRO Canary found NX enabled PIE enabled qbittorrent-nox 6209 Full RELRO Canary found NX enabled PIE enabled systemd 6351 Full RELRO Canary found NX enabled PIE enabled systemd 6354 Full RELRO Canary found NX enabled PIE enabled systemd 6358 Full RELRO Canary found NX enabled PIE enabled (sd-pam) 6360 Full RELRO Canary found NX enabled PIE enabled (sd-pam) 6365 Full RELRO Canary found NX enabled PIE enabled systemd 6366 Full RELRO Canary found NX enabled PIE enabled (sd-pam) 6371 Full RELRO Canary found NX enabled PIE enabled (sd-pam) 6380 Full RELRO Canary found NX enabled PIE enabled startkde 6943 Partial RELRO Canary found NX enabled No PIE dbus-launch 6956 Full RELRO Canary found NX enabled PIE enabled dbus-daemon 6957 Full RELRO Canary found NX enabled PIE enabled ssh-agent 6964 Full RELRO Canary found NX enabled PIE enabled gpg-agent 7006 Partial RELRO Canary found NX enabled No PIE start_kdeinit 7021 Partial RELRO Canary found NX enabled No PIE kdeinit4 7022 Partial RELRO Canary found NX enabled No PIE klauncher 7023 Partial RELRO Canary found NX enabled No PIE kded4 7025 Partial RELRO Canary found NX enabled No PIE gam_server 7027 Partial RELRO Canary found NX enabled No PIE kglobalaccel 7041 Partial RELRO Canary found NX enabled No PIE kwrapper4 7045 Partial RELRO Canary found NX enabled No PIE ksmserver 7046 Partial RELRO Canary found NX enabled No PIE kwin 7048 Partial RELRO No canary found NX enabled No PIE kactivitymanage 7051 Partial RELRO Canary found NX enabled No PIE krunner 7059 Partial RELRO Canary found NX enabled No PIE plasma-desktop 7061 Partial RELRO Canary found NX enabled No PIE upowerd 7063 Full RELRO Canary found NX enabled PIE enabled polkitd 7070 Full RELRO Canary found NX enabled PIE enabled udisksd 7103 Full RELRO Canary found NX enabled PIE enabled lancelot 7104 Partial RELRO Canary found NX enabled No PIE akonadi_control 7113 Partial RELRO Canary found NX enabled No PIE akonadiserver 7115 Partial RELRO Canary found NX enabled No PIE ksysguardd 7130 Partial RELRO Canary found NX enabled No PIE kuiserver 7137 Partial RELRO No canary found NX enabled No PIE kaccess 7144 Partial RELRO Canary found NX enabled No PIE firefox 7149 Partial RELRO Canary found NX enabled No PIE kopete 7158 Partial RELRO Canary found NX enabled No PIE konqueror 7161 Partial RELRO Canary found NX enabled No PIE klipper 7176 Partial RELRO Canary found NX enabled No PIE polkit-kde-auth 7178 Partial RELRO Canary found NX enabled No PIE kmix 7179 Partial RELRO Canary found NX enabled No PIE knemo 7184 Partial RELRO Canary found NX enabled No PIE gvfsd 7189 Partial RELRO Canary found NX enabled No PIE knotify4 7190 Partial RELRO Canary found NX enabled No PIE konqueror 7201 Partial RELRO Canary found NX enabled No PIE at-spi-bus-laun 7230 Partial RELRO Canary found NX enabled No PIE kwalletd 7243 Partial RELRO Canary found NX enabled No PIE alsactl 735 Partial RELRO Canary found NX enabled No PIE rtkit-daemon 747 Full RELRO Canary found NX enabled PIE enabled haveged 755 Partial RELRO Canary found NX enabled No PIE smartd 756 Full RELRO Canary found NX enabled PIE enabled mdadm 760 Partial RELRO Canary found NX enabled No PIE rngd 761 Partial RELRO Canary found NX enabled No PIE vnstatd 776 Full RELRO Canary found NX enabled PIE enabled mysqld 778 Full RELRO Canary found NX enabled PIE enabled avahi-daemon 781 Full RELRO Canary found NX enabled PIE enabled ksystraycmd 7813 Partial RELRO Canary found NX enabled No PIE avahi-daemon 784 Full RELRO Canary found NX enabled PIE enabled irqbalance 786 Full RELRO Canary found NX enabled PIE enabled ksystraycmd 7967 Partial RELRO Canary found NX enabled No PIE thunderbird 7969 Partial RELRO Canary found NX enabled No PIE ssl-params 8042 Full RELRO Canary found NX enabled PIE enabled mysqld 805 Full RELRO Canary found NX enabled PIE enabled ipc 8055 Full RELRO Canary found NX enabled PIE enabled cupsd 806 Full RELRO Canary found NX enabled PIE enabled mpdscribble 808 Full RELRO Canary found NX enabled PIE enabled systemd-logind 809 Full RELRO Canary found NX enabled PIE enabled dbus-daemon 810 Full RELRO Canary found NX enabled PIE enabled crond 815 Full RELRO Canary found NX enabled PIE enabled kdm 816 Full RELRO Canary found NX enabled PIE enabled preload 818 Full RELRO Canary found NX enabled PIE enabled X 820 Partial RELRO Canary found NX enabled No PIE acpid 831 Full RELRO Canary found NX enabled PIE enabled pulseaudio 887 Full RELRO Canary found NX enabled PIE enabled ________________________________________________ No PIE konsole 12313 Partial RELRO Canary found NX enabled No PIE alltray 12769 Partial RELRO Canary found NX enabled No PIE ksystraycmd 13672 Partial RELRO Canary found NX enabled No PIE gvfsd-http 28082 Partial RELRO Canary found NX enabled No PIE vmware-usbarbit 4075 Full RELRO Canary found NX enabled No PIE vmnet-natd 4323 Full RELRO Canary found NX enabled No PIE startkde 6943 Partial RELRO Canary found NX enabled No PIE gpg-agent 7006 Partial RELRO Canary found NX enabled No PIE start_kdeinit 7021 Partial RELRO Canary found NX enabled No PIE kdeinit4 7022 Partial RELRO Canary found NX enabled No PIE klauncher 7023 Partial RELRO Canary found NX enabled No PIE kded4 7025 Partial RELRO Canary found NX enabled No PIE gam_server 7027 Partial RELRO Canary found NX enabled No PIE kglobalaccel 7041 Partial RELRO Canary found NX enabled No PIE kwrapper4 7045 Partial RELRO Canary found NX enabled No PIE ksmserver 7046 Partial RELRO Canary found NX enabled No PIE kwin 7048 Partial RELRO No canary found NX enabled No PIE kactivitymanage 7051 Partial RELRO Canary found NX enabled No PIE krunner 7059 Partial RELRO Canary found NX enabled No PIE plasma-desktop 7061 Partial RELRO Canary found NX enabled No PIE lancelot 7104 Partial RELRO Canary found NX enabled No PIE akonadi_control 7113 Partial RELRO Canary found NX enabled No PIE akonadiserver 7115 Partial RELRO Canary found NX enabled No PIE ksysguardd 7130 Partial RELRO Canary found NX enabled No PIE kuiserver 7137 Partial RELRO No canary found NX enabled No PIE kaccess 7144 Partial RELRO Canary found NX enabled No PIE firefox 7149 Partial RELRO Canary found NX enabled No PIE kopete 7158 Partial RELRO Canary found NX enabled No PIE konqueror 7161 Partial RELRO Canary found NX enabled No PIE klipper 7176 Partial RELRO Canary found NX enabled No PIE polkit-kde-auth 7178 Partial RELRO Canary found NX enabled No PIE kmix 7179 Partial RELRO Canary found NX enabled No PIE knemo 7184 Partial RELRO Canary found NX enabled No PIE gvfsd 7189 Partial RELRO Canary found NX enabled No PIE knotify4 7190 Partial RELRO Canary found NX enabled No PIE konqueror 7201 Partial RELRO Canary found NX enabled No PIE at-spi-bus-laun 7230 Partial RELRO Canary found NX enabled No PIE kwalletd 7243 Partial RELRO Canary found NX enabled No PIE alsactl 735 Partial RELRO Canary found NX enabled No PIE haveged 755 Partial RELRO Canary found NX enabled No PIE mdadm 760 Partial RELRO Canary found NX enabled No PIE rngd 761 Partial RELRO Canary found NX enabled No PIE ksystraycmd 7813 Partial RELRO Canary found NX enabled No PIE ksystraycmd 7967 Partial RELRO Canary found NX enabled No PIE thunderbird 7969 Partial RELRO Canary found NX enabled No PIE X 820 Partial RELRO Canary found NX enabled No PIE ________________________________________________ Partial RELRO konsole 12313 Partial RELRO Canary found NX enabled No PIE alltray 12769 Partial RELRO Canary found NX enabled No PIE ksystraycmd 13672 Partial RELRO Canary found NX enabled No PIE gvfsd-http 28082 Partial RELRO Canary found NX enabled No PIE startkde 6943 Partial RELRO Canary found NX enabled No PIE gpg-agent 7006 Partial RELRO Canary found NX enabled No PIE start_kdeinit 7021 Partial RELRO Canary found NX enabled No PIE kdeinit4 7022 Partial RELRO Canary found NX enabled No PIE klauncher 7023 Partial RELRO Canary found NX enabled No PIE kded4 7025 Partial RELRO Canary found NX enabled No PIE gam_server 7027 Partial RELRO Canary found NX enabled No PIE kglobalaccel 7041 Partial RELRO Canary found NX enabled No PIE kwrapper4 7045 Partial RELRO Canary found NX enabled No PIE ksmserver 7046 Partial RELRO Canary found NX enabled No PIE kwin 7048 Partial RELRO No canary found NX enabled No PIE kactivitymanage 7051 Partial RELRO Canary found NX enabled No PIE krunner 7059 Partial RELRO Canary found NX enabled No PIE plasma-desktop 7061 Partial RELRO Canary found NX enabled No PIE lancelot 7104 Partial RELRO Canary found NX enabled No PIE akonadi_control 7113 Partial RELRO Canary found NX enabled No PIE akonadiserver 7115 Partial RELRO Canary found NX enabled No PIE ksysguardd 7130 Partial RELRO Canary found NX enabled No PIE kuiserver 7137 Partial RELRO No canary found NX enabled No PIE kaccess 7144 Partial RELRO Canary found NX enabled No PIE firefox 7149 Partial RELRO Canary found NX enabled No PIE kopete 7158 Partial RELRO Canary found NX enabled No PIE konqueror 7161 Partial RELRO Canary found NX enabled No PIE klipper 7176 Partial RELRO Canary found NX enabled No PIE polkit-kde-auth 7178 Partial RELRO Canary found NX enabled No PIE kmix 7179 Partial RELRO Canary found NX enabled No PIE knemo 7184 Partial RELRO Canary found NX enabled No PIE gvfsd 7189 Partial RELRO Canary found NX enabled No PIE knotify4 7190 Partial RELRO Canary found NX enabled No PIE konqueror 7201 Partial RELRO Canary found NX enabled No PIE at-spi-bus-laun 7230 Partial RELRO Canary found NX enabled No PIE kwalletd 7243 Partial RELRO Canary found NX enabled No PIE alsactl 735 Partial RELRO Canary found NX enabled No PIE haveged 755 Partial RELRO Canary found NX enabled No PIE mdadm 760 Partial RELRO Canary found NX enabled No PIE rngd 761 Partial RELRO Canary found NX enabled No PIE ksystraycmd 7813 Partial RELRO Canary found NX enabled No PIE ksystraycmd 7967 Partial RELRO Canary found NX enabled No PIE thunderbird 7969 Partial RELRO Canary found NX enabled No PIE X 820 Partial RELRO Canary found NX enabled No PIE ________________________________________________
We could consider it at some point, but this is now getting into a slippery slope, where one could argue building almost the entire distro hardened.
Though, if firefox/thunderbird have done it, probably makes sense for other broswsers and mail clients to follow suit. I assume xulrunner is hardened too?
> where one could argue building almost the entire distro hardened i would even consider this, but for now i am most interested in the processes running 24 hours a day on my alwas-on home-machine > Though, if firefox/thunderbird have done it, probably makes sense > for other broswsers in fact yes - reading the packaging guidlines about "untrusted input" these days there is hardly a application which has to deal more with untrusted input than a browser > I assume xulrunner is hardened too currently not but realized upstream https://bugzilla.redhat.com/show_bug.cgi?id=973458 ___________________________________________________ maybe this bugreport from yesterday is interesting in the overall-context https://bugzilla.redhat.com/show_bug.cgi?id=1048416#c7
BTW: > where one could argue building almost the entire distro hardened the fact that F20 is using -fstack-protector-strong instead only -fstack-protector goes in that direction - these days security becomes more attention as ever before thanks to Edward Snowden again
If FESCo, et al, want a full distro-hardening, that's a bit out of scope here.
> If FESCo, et al, want a full distro-hardening, that's a bit out of scope here pretty clear for me too, that's why for now i wrote only a bugreport in case of KDE because the KDE SIG is mre or less independent and in case of making more secure packages there should be no great veto from anybody after the desktop itself is hardened and services must be in any case the whole distribution is more or less hardened because dynamic libraries are PIE by design
Back to something ontopic... :) So, this stack of stuff probably ought to be included in hardening: khtml(kdelibs), qtwebkit, kwebkitpart, konqueror(kde-baseapps)
agreed, somewhere needs to be started i would like to add kopete here too because it deals with "untrusted userinput" and in case of ICQ and see what amout of russian spam comes in and needs to be filtered.......
qtwebkit-2.3.3-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/qtwebkit-2.3.3-18.fc21
qtwebkit-2.3.3-18.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
qtwebkit-2.3.4-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/qtwebkit-2.3.4-1.fc20
qtwebkit-2.3.4-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/qtwebkit-2.3.4-1.fc19
qtwebkit-2.3.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
qtwebkit-2.3.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.