Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". However, currently am-utils is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): am-utils-6.1.5-26.fc19.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py am-utils-6.1.5-26.fc19.x86_64.rpm am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/bin/pawd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/amd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/amq,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/fixmount,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/fsinfo,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/hlfsd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=None am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/mk-amd-map,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=NA,CATEGORY=None am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/wire-test,NX=Enabled,CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled,FORTIFY=Enabled,CATEGORY=network-ip
(In reply to comment #0) > > Get scanner.py from https://github.com/kholia/checksec > > $ ./scanner.py am-utils-6.1.5-26.fc19.x86_64.rpm > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/bin/pawd,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=network-ip > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/amd,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=network-ip > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/amq,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=network-ip > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/fixmount,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=network-ip > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/fsinfo,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=None > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/hlfsd,NX=Enabled, > CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=None > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/mk-amd-map,NX=Enabled, > CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=NA,CATEGORY=None > am-utils,am-utils-6.1.5-26.fc19.x86_64.rpm,/usr/sbin/wire-test,NX=Enabled, > CANARY=Disabled,RELRO=Partial,PIE=Disabled,RPATH=Disabled,RUNPATH=Disabled, > FORTIFY=Enabled,CATEGORY=network-ip So, specifically, what your requesting is that I change the package configure setup to build the package programs with the pie option so that your scanner returns PIE=Enabled for each one it sees. Is that correct and is that all that's needed? Ian
See http://fedoraproject.org/wiki/Packaging:Guidelines#PIE In short, daemons should be built as PIE. Using "%global _hardened_build 1" in .spec file usually works.
(In reply to comment #2) > See http://fedoraproject.org/wiki/Packaging:Guidelines#PIE > > In short, daemons should be built as PIE. > > Using "%global _hardened_build 1" in .spec file usually works. Defining that breaks the build on the first compile. I'll say it again, what options do you want added to the compile of the executable source, exactly, and do you require additional options added to the source compile of the shared library source?
(In reply to comment #3) > > Using "%global _hardened_build 1" in .spec file usually works. > > Defining that breaks the build on the first compile. gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec ‘cc1_options’ to already defined spec ‘rh_cc1_options_old’ This is the problem you are facing, right? lightdm package faced similar problem after enabling the hardening flags. The "bug" turned out to be in lightdm's build system. See http://pkgs.fedoraproject.org/cgit/lightdm.git/commit/?id=bc63ac9d91525b4abc43a119e8535df26cc7751c for a possible solution. https://bugzilla.redhat.com/show_bug.cgi?id=955147 > I'll say it again, what options do you want added to the compile > of the executable source, exactly, and do you require additional > options added to the source compile of the shared library source? Are you asking for a set of hard coded flags? If yes, then don't go down that path. Instead, 1. Fix / patch the build system (like lightdm did). 2. Use "%global _hardened_build 1". 3. If this doesn't do the trick maybe try using, LDFLAGS="%{?__global_ldflags}" CFLAGS="$RPM_OPT_FLAGS" (in addition to step 2) I have never packaged anything. So, I highly recommend asking about this in #fedora-devel.
(In reply to comment #4) Thanks for your effort trying to help, I appreciate it. > (In reply to comment #3) > > > Using "%global _hardened_build 1" in .spec file usually works. > > > > Defining that breaks the build on the first compile. > > gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename > spec ‘cc1_options’ to already defined spec ‘rh_cc1_options_old’ > > This is the problem you are facing, right? Yes, but only when I use the _hardened_build flag in the spec. > > lightdm package faced similar problem after enabling the hardening flags. > The "bug" turned out to be in lightdm's build system. > > See > http://pkgs.fedoraproject.org/cgit/lightdm.git/commit/ > ?id=bc63ac9d91525b4abc43a119e8535df26cc7751c for a possible solution. The build system of am-utils is very different to lightdm I think. Actually, I already had a patch for the am-utils build system that will produce position independent executable programs when I asked this ... > > https://bugzilla.redhat.com/show_bug.cgi?id=955147 > > > I'll say it again, what options do you want added to the compile > > of the executable source, exactly, and do you require additional > > options added to the source compile of the shared library source? > > Are you asking for a set of hard coded flags? If yes, then don't go down > that path. Not quite, as I know what flags are needed but not if any additional macro defines are actually needed. I was asking if making the executable programs position independent is all that is required, which I can do, in a similar way that was done for autofs long ago, except the am-utils build system is much more convoluted. I just wanted to confirm the real requirements of the request, mainly because I'm fishing to see if I'm missing something in the position independence build flags (like an additional macro define). > > Instead, > > 1. Fix / patch the build system (like lightdm did). My change is different to that, necessarily. > > 2. Use "%global _hardened_build 1". Probably can't easily do that with am-utils. > > 3. If this doesn't do the trick maybe try using, > > LDFLAGS="%{?__global_ldflags}" > CFLAGS="$RPM_OPT_FLAGS" Can't do that either since we have a combination of executables and a shared library built. The shared libraries don't accept the same position independence flags. That is actually the the other fishing question, since the requirements here don't actually request shared libraries be compiled using position independent flags and scanner.py doesn't pick it up if they aren't. What I was alluding to is, do they also need to be compiled position independent? Note that having position independent programs doesn't prevent the use of these shared libraries AFAICS from autofs. > > (in addition to step 2) > > I have never packaged anything. So, I highly recommend asking about this in > #fedora-devel. I think I'll just go ahead and add the program compile and link flag, along with the build system macro to check pie flag validity and let others worry about what's really needed wrt. shared libraries. Ian
(In reply to comment #5) > > > (In reply to comment #3) > > > > Using "%global _hardened_build 1" in .spec file usually works. > > > > > > Defining that breaks the build on the first compile. > > > > gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename > > spec ‘cc1_options’ to already defined spec ‘rh_cc1_options_old’ > > > > This is the problem you are facing, right? > > Yes, but only when I use the _hardened_build flag in the spec. > > > > > lightdm package faced similar problem after enabling the hardening flags. > > The "bug" turned out to be in lightdm's build system. > > > > See > > http://pkgs.fedoraproject.org/cgit/lightdm.git/commit/ > > ?id=bc63ac9d91525b4abc43a119e8535df26cc7751c for a possible solution. > > The build system of am-utils is very different to lightdm I think. And it is very different but before going ahead with my original change I had another go at something based of the above. I came up with a different change that uses the _hardened_build flag. I believe it should also build the shared library with the position independence as well as building the programs as position independent. I have committed the change to Rawhide and built am-utils. I had to fix a problem with the texinfo documentation build as well for Rawhide, I'll only include that in f19 if it is needed. Please inspect the change and offer you opinion. If your satisfied I'll commit it to the f19 branch as well. Ian
Created attachment 741015 [details] Patch - use-_hardened_build-flag The patch here doesn't include the changes to the spec file which adds the global define _hardened_build flag and removes $RPM_OPT_FLAGS from the configure invocation option --enable-am-cflags. The changes do seem to achieve what we need.
am-utils-6.1.5-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/am-utils-6.1.5-28.fc19
Package am-utils-6.1.5-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing am-utils-6.1.5-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8035/am-utils-6.1.5-28.fc19 then log in and leave karma (feedback).
am-utils-6.1.5-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.