Description of problem: The busybox binary lacks hardening measures: no RELRO, no stack canaries, not position-independent. Version-Release number of selected component (if applicable): 1.34.1, 1.35.0 How reproducible: always Steps to Reproduce: 1. Install busybox and checksec 2. Run checksec --file=/usr/sbin/busybox Actual results: RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 0 0 /usr/sbin/busybox Expected results: RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols No 0 4 /usr/bin/clang-13 Additional info: For reference, Alpine Linux's busybox package does have hardening measures such as PIE and partial RELRO. Its package uses the more common musl libc rather than uClibc. Void Linux's musl edition is similar.
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
Checksec does not return useful data against static binaries, only shared ones. That said, there are some hardening measures that could be applied to the static binary. The first (and bigger) challenge is that the static binary doesn't actually work right now, it just segfaults and I need to figure out why.
hardening flags now applied in rawhide.