Description of problem: FESCo requires some packages to use PIE and relro hardening by default. This page contains that list: https://fedoraproject.org/wiki/Hardened_Packages openssh-askpass uses only Partial RELRO instead of Full RELRO and PIE is not enabeld. Please comment if this is acceptable or should be changed ? ---------- openssh-7.1p1-2.fc24.src.rpm /mnt/fedora/Packages/o/openssh-askpass-7.1p1-2.fc24.x86_64.rpm RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH ./usr/libexec/openssh/gnome-ssh-askpass
gnome-ssh-askpass is "A passphrase dialog for OpenSSH and X". It is not * long running. * suid binary * running as root (if you don't have root desktop) * accepting/processing untrusted input it communicates only locally with ssh-client, if there is no terminal to ask for password. This means that it is not MUST nor SHOULD, except the thing that the root package is on the list. Anyway I tried to figure out what can I do about it, when global hardening flag doesn't hepl, but I don't have a luck with stack canary: RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH /root/rpmbuild/BUILDROOT/openssh-7.1p1-2.fc24.x86_64/usr/libexec/openssh/gnome-ssh-askpass The binary is build using this command (added "-pie -Wl,-z,now" to CFLAGS since your results): cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fpic -I/usr/include/gssapi -pie -Wl,-z,now `pkg-config --cflags gtk+-2.0` gnome-ssh-askpass2.c -o gnome-ssh-askpass2 `pkg-config --libs gtk+-2.0 x11` Do you have any hints?
(In reply to Jakub Jelen from comment #1) > gnome-ssh-askpass is "A passphrase dialog for OpenSSH and X". It is not > * long running. > * suid binary > * running as root (if you don't have root desktop) > * accepting/processing untrusted input > it communicates only locally with ssh-client, if there is no terminal to ask > for password. > > This means that it is not MUST nor SHOULD, except the thing that the root > package is on the list. > > Anyway I tried to figure out what can I do about it, when global hardening > flag doesn't hepl, but I don't have a luck with stack canary: > > RELRO STACK CANARY NX PIE RPATH > RUNPATH FILE > Full RELRO No canary found NX enabled PIE enabled No RPATH > No RUNPATH > /root/rpmbuild/BUILDROOT/openssh-7.1p1-2.fc24.x86_64/usr/libexec/openssh/ > gnome-ssh-askpass > > > The binary is build using this command (added "-pie -Wl,-z,now" to CFLAGS > since your results): > > cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 > -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 > -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 > -mtune=generic -fvisibility=hidden -fpic -I/usr/include/gssapi -pie > -Wl,-z,now `pkg-config --cflags gtk+-2.0` gnome-ssh-askpass2.c -o > gnome-ssh-askpass2 `pkg-config --libs gtk+-2.0 x11` > > Do you have any hints? Your current status is fine. Sometimes there isn't need for canary protection, see https://lists.fedoraproject.org/pipermail/devel/2015-September/214669.html https://lists.fedoraproject.org/pipermail/devel/2015-September/214694.html
Thanks for clarification. I will update the package soon.
openssh-7.1p1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update openssh' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.