Bug 853193 – daemon programs should be compiled with PIE and full RELRO flags

Bug 853193 - daemon programs should be compiled with PIE and full RELRO flags

Summary:	daemon programs should be compiled with PIE and full RELRO flags

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	net-tools (Show other bugs)
Sub Component:
Version:	18
Hardware:	Unspecified Unspecified

Priority	high Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Jiri Popelka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	853068
	Show dependency tree / graph

Reported:	2012-08-30 13:02 EDT by Steve Grubb
Modified:	2012-09-25 12:39 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-09-25 12:39:11 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Steve Grubb 2012-08-30 13:02:29 EDT

Description of problem:
Daemon programs should have full RELRO support enabled for extra protection. They should also have gcc's PIE flag enabled, too.

FILE                                                TYPE        RELRO    PIE 
/sbin/arp                                           daemon      partial  no  

You can use this program for testing:
http://people.redhat.com/sgrubb/files/rpm-chksec

Comment 1 Jiri Popelka 2012-09-03 09:15:31 EDT

I don't think /sbin/arp fits into this daemon category.
Yes, it can be run (only if /etc/ethers exists) during boot to load static arp entries from the ethers file.
But as you can see in arp-ethers.service it's a "oneshot" type so it exits immediately after loading the entries.

Have I missed anything or we can close this BZ ?

Comment 2 Steve Grubb 2012-09-05 06:42:23 EDT

This bug was filed to get the flags correct so that we can make claims in our common criteria security target. The intent was that we could say all setuids are compiled with these flags, all daemons are compiled with those, all apps have other flags. We really didn't want to start making exceptions to the blanket policy.

Comment 3 Jiri Popelka 2012-09-05 06:53:17 EDT

My point has been that /sbin/arp is not a deamon nor setuid.

Comment 4 Steve Grubb 2012-09-05 07:07:19 EDT

Its started by a .service file. Which means if we start picking and choosing which ones are daemon and which ones aren't, it gets complicated. I can help you with the patch if you think it's helpful.

Comment 5 Jiri Popelka 2012-09-05 07:43:06 EDT

Ok. Then easiest would be to add these flags to spec file and compile all the tools with PIE and full RELRO flags then modifying Makefile just for arp.

Comment 6 Fedora Update System 2012-09-05 08:10:04 EDT

net-tools-1.60-142.20120702git.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/net-tools-1.60-142.20120702git.fc18

Comment 7 Fedora Update System 2012-09-22 02:32:43 EDT

Package net-tools-1.60-144.20120917git.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing net-tools-1.60-144.20120917git.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13384/net-tools-1.60-144.20120917git.fc18
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-09-25 12:39:11 EDT

net-tools-1.60-144.20120917git.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.