Red Hat Bugzilla – Bug 155451
Postfix could/should have PIE executables
Last modified: 2007-11-30 17:11:04 EST
Looking at the postfix package I see that it's built with -fPIC, this doesn't
actually make much sense as there is no shared library created.
However as it's a network facing daemon and thus it could be potentially
remotely exploitable it could be a good idea to compile with -fPIE and -pie.
/usr/sbin/postfix is PIE. PIE executables are slower than PIC binaries,
therefore only postfix itself is compiled PIE.
I can compile all PIE, but this will result in slow (-er ?) email transportation.
Which binaries do you like to have PIE?
Actually the postfix executable probably doesn't have to be PIE as it isn't
network facing. Basically PIE improves security for network facing daemons (or
binaries executed from network daemons which work with untrusted content
received from network). So in postfix case it would possibly be master, smtpd
and maybe other executables further in the process.
About the performance drop due to PIE - is it really noticeable?
Yup, it is noticeable, but I have compiled all binaries PIE, now.
Fixed in rawhide in rpm postfix-2.2.3-1 or newer.