Description of problem:

At least the following binaries,

/usr/bin/mysqlimport
/usr/bin/mysqltest
/usr/bin/mysql_client_test
/usr/bin/mysql_plugin
/usr/bin/mysql_upgrade
/usr/bin/mysqlslap
/usr/bin/mysqltest_embedded
/usr/bin/mysql_waitpid
/usr/bin/mysqladmin
/usr/bin/mysql_client_test_embedded
/usr/bin/mysql_tzinfo_to_sql
/usr/bin/mysql
/usr/bin/mysqldump
/usr/bin/mysqlshow
/usr/bin/mysqlcheck
/usr/bin/mysqlbinlog

are compiled as Position Independent Executables (PIE), but with lazy binding enabled (no BIND_NOW / NOW). This not only slows the startup down (adding one layer of indirection for PIE), but also creates potential security issues.

Please compile these as either

- non-PIE, with "partial" RELRO: gcc -Wl,-z,relro
- PIE, with "full" RELRO: gcc -fPIE -pie -Wl,-z,relro,-z,now

*not* in any combination of the two (for one binary).

Generally speaking, PIE + "full" RELRO is recommended for anything that doesn't start too often (as it provides the best protection at a slight cost in startup time) such as daemons, SUID binaries or anything having extra privileges and handling unsafe user data.
For anything else, "Partial" RELRO is recommended.


Version-Release number of selected component (if applicable):
mariadb-5.5.47-1.el7_2

How reproducible:
always

Steps to Reproduce:
1. readelf -a <path-to-binary> | less
2. look for addresses, see them being relative, starting at 0
2.1. (also see ELF type at the top - should be DYN)
3. look for BIND_NOW or NOW, without success

Actual results:
binaries compiled as PIE with "partial" RELRO

Expected results:
binaries either compiled as PIE+"full" RELRO or non-PIE+"partial" RELRO

Additional info:
/usr/libexec/mysqld seems to have correctly PIE + "full" RELRO.