Bug 853155 - setuid programs should be compiled with PIE flags
setuid programs should be compiled with PIE flags
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
18
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
:
Depends On: 962005
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-30 11:41 EDT by Steve Grubb
Modified: 2013-09-18 16:02 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-18 16:02:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2012-08-30 11:41:35 EDT
Description of problem:
pkexec, polkit-agent-helper-1, and polkitd are not compiled with gcc's PIE security flag. All setuid, network, and daemon programs should have PIE enabled so that each invocation has new ASLR. Additionally, daemons and setuid programs should have full RELRO and not partial.

FILE                                                TYPE        RELRO    PIE 
/usr/bin/pkexec                                     setuid      partial  no  
/usr/lib/polkit-1/polkit-agent-helper-1             setuid      partial  no  
/usr/lib/polkit-1/polkitd                           daemon      partial  no

You can use this test program to check dbus:
http://people.redhat.com/sgrubb/files/rpm-chksec
Comment 1 Fedora Admin XMLRPC Client 2013-02-01 18:59:24 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Steve Grubb 2013-03-07 11:46:56 EST
Checking to see if there is any progress on updating the compile flags? We'd like to close the bug if its fixed. Thanks.
Comment 3 Miloslav Trmač 2013-03-11 10:22:16 EDT
Per changelog and rpm-chksec, polkit is currently built with PIE and full relro; I'll keep this report open to review the unusual way it's been enabled (not using %_hardened_build).
Comment 4 Matthias Clasen 2013-03-13 13:32:31 EDT
See https://bugzilla.redhat.com/show_bug.cgi?id=892837 for that
Comment 5 Steve Grubb 2013-03-14 12:04:21 EDT
Removing from CC tracker because its fixed as far as we are concerned.
Comment 6 Miloslav Trmač 2013-05-10 18:40:20 EDT
Cause tracked down to bug 962005.
Comment 7 Miloslav Trmač 2013-09-18 16:02:15 EDT
... and fixed for F18 in polkit-0.107-6.fc18 (not attached into the bodhi ticket, but will be published as an update eventually).

Note You need to log in before you can comment on or make changes to this bug.