Hide Forgot
Created attachment 1143854 [details] Patch to build tmux as PIE tmux is currently not built as PIE. $ ./scanner.py ~/rawhide/os/Packages/t/tmux-2.1-3.fc24.x86_64.rpm Analyzing ~/rawhide/os/Packages/t/tmux-2.1-3.fc24.x86_64.rpm ... tmux,tmux-2.1-3.fc24.x86_64.rpm,/usr/bin/tmux,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Partial... https://fedoraproject.org/wiki/Changes/Harden_All_Packages requires packages to be hardened properly. With the attached patch, the package is hardened properly. $ ./scanner.py tmux-2.1-3.fc25.x86_64.rpm Analyzing tmux-2.1-3.fc25.x86_64.rpm ... tmux,tmux-2.1-3.fc25.x86_64.rpm,/usr/bin/tmux,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Enabled,PIE=Enabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Partial... The attached patch isn't perfect (due to hard-coding of the compiler flags) but it works OK. You can use "checksec" or "rpmgrill" or https://github.com/kholia/checksec to check if the package has been hardened properly.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
This patch shouldn't be needed, the settings you add to CFLAGS are the defaults nowadays. The real reason why the tmux executable is not build as PIE is this line: make %{?_smp_mflags} LDFLAGS="%{optflags}". For hardened builds, the %build step sets this in the environment: + LDFLAGS='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' + export LDFLAGS but the make step is executed like this: + make -j2 'LDFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' Note the specs= part, which contains settings for the compiler, not the linker. So the real fix is simple, as below: diff --git a/tmux.spec b/tmux.spec index a1a9cca..449d1d5 100644 --- a/tmux.spec +++ b/tmux.spec @@ -28,7 +28,7 @@ as GNU Screen. %build %configure -make %{?_smp_mflags} LDFLAGS="%{optflags}" +make %{?_smp_mflags} $ checksec --file /usr/bin/tmux RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 9 17 /usr/bin/tmux $ ./scanner.py ~/pkgs/tmux/results_tmux/2.4/1.fc27/tmux-2.4-1.fc27.x86_64.rpm Analyzing /home/ruben/pkgs/tmux/results_tmux/2.4/1.fc27/tmux-2.4-1.fc27.x86_64.rpm ... tmux,tmux-2.4-1.fc27.x86_64.rpm,/usr/bin/tmux,mode=0100755,NX=Enabled,CANARY=Enabled,RELRO=Enabled,PIE=Enabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Partial$readlink$memset$getcwd$read$memcpy$memmove$wctomb$gethostname,CATEGORY=network-local,TEMPPATHS=None,DEPS=libutil.so.1$libtinfo.so.6$libevent-2.0.so.5$libresolv.so.2$libc.so.6
http://pkgs.fedoraproject.org/cgit/rpms/tmux.git/commit/?id=c946af041210575b5eda5ab39708ef5aa5c78eb9
Filipe, did you read my comment? If you don't have time I am happy to apply my patch myself.