Bug 155451 - Postfix could/should have PIE executables
Postfix could/should have PIE executables
Product: Fedora
Classification: Fedora
Component: postfix (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-04-20 10:11 EDT by Tomas Mraz
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-12 08:43:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2005-04-20 10:11:25 EDT
Looking at the postfix package I see that it's built with -fPIC, this doesn't
actually make much sense as there is no shared library created. 

However as it's a network facing daemon and thus it could be potentially
remotely exploitable it could be a good idea to compile with -fPIE and -pie.
Comment 1 Thomas Woerner 2005-05-11 11:19:29 EDT
/usr/sbin/postfix is PIE. PIE executables are slower than PIC binaries,
therefore only postfix itself is compiled PIE.
I can compile all PIE, but this will result in slow (-er ?) email transportation.

Which binaries do you like to have PIE?
Comment 2 Tomas Mraz 2005-05-11 13:04:08 EDT
Actually the postfix executable probably doesn't have to be PIE as it isn't
network facing. Basically PIE improves security for network facing daemons (or
binaries executed from network daemons which work with untrusted content
received from network). So in postfix case it would possibly be master, smtpd
and maybe other executables further in the process.

About the performance drop due to PIE - is it really noticeable?
Comment 3 Thomas Woerner 2005-05-12 08:43:27 EDT
Yup, it is noticeable, but I have compiled all binaries PIE, now. 

Fixed in rawhide in rpm postfix-2.2.3-1 or newer.

Note You need to log in before you can comment on or make changes to this bug.