Issue #47332: 389-ds-base package should be built with PIE flags - 389-ds-base

389-ds-base

#47332 389-ds-base package should be built with PIE flags

Closed: wontfix None Opened 11 years ago by nkinder.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953390

Description of problem:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST
enable the PIE compiler flags if your package is long running ...".

However, currently 389-ds-base is not being built with PIE flags. This is a
clear violation of the packaging guidelines.

This issue (in its wider scope) is being discussed at,

https://fedorahosted.org/fesco/ticket/1104

https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html

Version-Release number of selected component (if applicable):

389-ds-base-1.3.0.5-1.fc19.x86_64.rpm

How reproducible:

You can use following programs to check if a package is hardened:

http://people.redhat.com/sgrubb/files/rpm-chksec

OR

https://github.com/kholia/checksec

Steps to Reproduce:

Get scanner.py from https://github.com/kholia/checksec

$ ./scanner.py 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm
Analyzing 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm ...
...
389-ds-base,389-ds-base-1.3.0.5-1.fc19.x86_64.rpm,/usr/sbin/ns-slapd,NX=Enabled
,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,CATEG
ORY=network-ip

Actual results:

/usr/sbin/ns-slapd is not PIE.

Expected results:

/usr/sbin/ns-slapd *should* be PIE.

Possible Fix:

"_hardened_build" rpm spec macro can be used to harden a package.

mreynolds commented 11 years ago

fedora spec file
0001-Ticket-47332-389-ds-base-package-should-be-built-wit.patch

nhosoi commented 11 years ago

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...".

Hi Mark,
Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...)
Thanks!!
--noriko

mreynolds commented 11 years ago

389-admin
0001-Ticket-47332-389-admin-should-be-built-with-PIE-flag.patch

mreynolds commented 11 years ago

Replying to [comment:4 nhosoi]:

http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...".

Hi Mark,
Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...)
Thanks!!
--noriko

Yes, it looks like it is needed, so I added it. Thanks!

mreynolds commented 11 years ago

389-ds-base:

commit f5b17abc3740571ead6a3423a56e55523bce62b3

git push origin master
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 483 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
8f86104..f5b17ab master -> master

git push origin f19
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 529 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
22deb41..236cbb5 f19 -> f19

git push origin f18
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 529 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
c782705..decdcd7 f18 -> f18

git push origin f17
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 522 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base
3e72dbd..df87321 f17 -> f17

Admin Server:

50e0b732c3f529a1c28a53a66094522e832b4331

git push origin master
Counting objects: 5, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 430 bytes, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: Emitting a message to the fedmsg bus.
To ssh://mreynolds@pkgs.fedoraproject.org/389-admin
39a4c29..50e0b73 master -> master

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.3.1.1

7 years ago

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/669

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Metadata

Assignee

mreynolds

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

1.3.1.1

reviewstatus

ack

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=953390

origin

Community

389-ds-base

Source Code

#47332 389-ds-base package should be built with PIE flags Closed: wontfix None Opened 11 years ago by nkinder.

Metadata

#47332 389-ds-base package should be built with PIE flags

Closed: wontfix None Opened 11 years ago by nkinder.