Red Hat Bugzilla – Bug 853155
setuid programs should be compiled with PIE flags
Last modified: 2013-09-18 16:02:15 EDT
Description of problem:
pkexec, polkit-agent-helper-1, and polkitd are not compiled with gcc's PIE security flag. All setuid, network, and daemon programs should have PIE enabled so that each invocation has new ASLR. Additionally, daemons and setuid programs should have full RELRO and not partial.
FILE TYPE RELRO PIE
/usr/bin/pkexec setuid partial no
/usr/lib/polkit-1/polkit-agent-helper-1 setuid partial no
/usr/lib/polkit-1/polkitd daemon partial no
You can use this test program to check dbus:
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Checking to see if there is any progress on updating the compile flags? We'd like to close the bug if its fixed. Thanks.
Per changelog and rpm-chksec, polkit is currently built with PIE and full relro; I'll keep this report open to review the unusual way it's been enabled (not using %_hardened_build).
See https://bugzilla.redhat.com/show_bug.cgi?id=892837 for that
Removing from CC tracker because its fixed as far as we are concerned.
Cause tracked down to bug 962005.
... and fixed for F18 in polkit-0.107-6.fc18 (not attached into the bodhi ticket, but will be published as an update eventually).