Bug 155451 - Postfix could/should have PIE executables
Summary: Postfix could/should have PIE executables
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: postfix
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-20 14:11 UTC by Tomas Mraz
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-12 12:43:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tomas Mraz 2005-04-20 14:11:25 UTC 
Looking at the postfix package I see that it's built with -fPIC, this doesn't
actually make much sense as there is no shared library created. 

However as it's a network facing daemon and thus it could be potentially
remotely exploitable it could be a good idea to compile with -fPIE and -pie.
Comment 1 Thomas Woerner 2005-05-11 15:19:29 UTC 
/usr/sbin/postfix is PIE. PIE executables are slower than PIC binaries,
therefore only postfix itself is compiled PIE.
I can compile all PIE, but this will result in slow (-er ?) email transportation.

Which binaries do you like to have PIE?
Comment 2 Tomas Mraz 2005-05-11 17:04:08 UTC 
Actually the postfix executable probably doesn't have to be PIE as it isn't
network facing. Basically PIE improves security for network facing daemons (or
binaries executed from network daemons which work with untrusted content
received from network). So in postfix case it would possibly be master, smtpd
and maybe other executables further in the process.

About the performance drop due to PIE - is it really noticeable?
Comment 3 Thomas Woerner 2005-05-12 12:43:27 UTC 
Yup, it is noticeable, but I have compiled all binaries PIE, now. 

Fixed in rawhide in rpm postfix-2.2.3-1 or newer.
Note You need to log in before you can comment on or make changes to this bug.