Bug 1264036 - Partial RELRO and No PIE for openssh-askpass
Partial RELRO and No PIE for openssh-askpass
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jakub Jelen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-17 07:28 EDT by Alexander Todorov
Modified: 2015-10-01 12:01 EDT (History)
5 users (show)

See Also:
Fixed In Version: openssh-7.1p1-3.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-01 12:01:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2015-09-17 07:28:30 EDT
Description of problem:


FESCo requires some packages to use PIE and relro hardening by default. This page contains that list:
https://fedoraproject.org/wiki/Hardened_Packages

openssh-askpass uses only Partial RELRO instead of Full RELRO and PIE is not enabeld. Please comment if this is acceptable or should be changed ? 



----------
openssh-7.1p1-2.fc24.src.rpm
/mnt/fedora/Packages/o/openssh-askpass-7.1p1-2.fc24.x86_64.rpm
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   ./usr/libexec/openssh/gnome-ssh-askpass
Comment 1 Jakub Jelen 2015-09-17 12:09:03 EDT
gnome-ssh-askpass is "A passphrase dialog for OpenSSH and X". It is not
 * long running.
 * suid binary
 * running as root (if you don't have root desktop)
 * accepting/processing untrusted input
it communicates only locally with ssh-client, if there is no terminal to ask for password.

This means that it is not MUST nor SHOULD, except the thing that the root package is on the list.

Anyway I tried to figure out what can I do about it, when global hardening flag doesn't hepl, but I don't have a luck with stack canary:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   /root/rpmbuild/BUILDROOT/openssh-7.1p1-2.fc24.x86_64/usr/libexec/openssh/gnome-ssh-askpass


The binary is build using this command (added "-pie -Wl,-z,now" to CFLAGS since your results):

cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fvisibility=hidden -fpic -I/usr/include/gssapi -pie -Wl,-z,now `pkg-config --cflags gtk+-2.0` gnome-ssh-askpass2.c -o gnome-ssh-askpass2 `pkg-config --libs gtk+-2.0 x11`

Do you have any hints?
Comment 2 Alexander Todorov 2015-09-18 03:09:20 EDT
(In reply to Jakub Jelen from comment #1)
> gnome-ssh-askpass is "A passphrase dialog for OpenSSH and X". It is not
>  * long running.
>  * suid binary
>  * running as root (if you don't have root desktop)
>  * accepting/processing untrusted input
> it communicates only locally with ssh-client, if there is no terminal to ask
> for password.
> 
> This means that it is not MUST nor SHOULD, except the thing that the root
> package is on the list.
> 
> Anyway I tried to figure out what can I do about it, when global hardening
> flag doesn't hepl, but I don't have a luck with stack canary:
> 
> RELRO           STACK CANARY      NX            PIE             RPATH     
> RUNPATH      FILE
> Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH  
> No RUNPATH  
> /root/rpmbuild/BUILDROOT/openssh-7.1p1-2.fc24.x86_64/usr/libexec/openssh/
> gnome-ssh-askpass
> 
> 
> The binary is build using this command (added "-pie -Wl,-z,now" to CFLAGS
> since your results):
> 
> cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
> -mtune=generic -fvisibility=hidden -fpic -I/usr/include/gssapi -pie
> -Wl,-z,now `pkg-config --cflags gtk+-2.0` gnome-ssh-askpass2.c -o
> gnome-ssh-askpass2 `pkg-config --libs gtk+-2.0 x11`
> 
> Do you have any hints?


Your current status is fine. Sometimes there isn't need for canary protection, see 

https://lists.fedoraproject.org/pipermail/devel/2015-September/214669.html
https://lists.fedoraproject.org/pipermail/devel/2015-September/214694.html
Comment 3 Jakub Jelen 2015-09-18 04:32:48 EDT
Thanks for clarification. I will update the package soon.
Comment 4 Fedora Update System 2015-09-25 08:52:24 EDT
openssh-7.1p1-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
Comment 5 Fedora Update System 2015-09-26 20:55:16 EDT
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update openssh'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8774808146
Comment 6 Fedora Update System 2015-10-01 12:01:34 EDT
openssh-7.1p1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.