Ticket #1104 (closed task: fixed)
Expanding the list of "Hardened Packages"
|Reported by:||halfie||Owned by:|
http://fedoraproject.org/wiki/Hardened_Packages page mentions that "FESCo requires some packages to use PIE and relro hardening by default."
It would be great if this list could be expanded to include packages which are at comparatively more risk of being exploited (locally or remotely).
Such packages will typically include various system daemons, network daemons and network enabled applications.
(Implementing this will require changes to "Packaging Guidelines")
Lot of network daemons are already using PIE and RELRO (e.g. httpd, MariaDB). So a natural question is why aren't packages in same "network daemons" class like PostgreSQL, Dovecot and MongoDB aren't being hardened?
I believe that hardening flags should be turned on (by default) for all packages which are at the risk of being exploited.
"Packaging Guidelines" say that "Other packages may enable the flags at the maintainer's discretion."
Thinking from a security perspective, I find "Hardening flags can be disabled for other packages at the maintainer's discretion provided enough justification is given to FESCo" to be more appropriate.
For a start, packages from the following RPM groups can be targeted,
"Applications/CGI", "Network/Daemons", "Applications/Communications", "Applications/Internet", "System Environment/Daemons", "Applications/Databases"