Ticket #563 (closed task: fixed)
suggested policy: all daemons must set RELRO and PIE flags
|Reported by:||adamwill||Owned by:|
|Cc:||sgrubb@…, ricky||Blocked By:|
This proposal is to add a requirement that daemons must set some security-related compile-time flags.
Steve Grubb contacted me to ask why no-one had been 'checking' that daemons in Fedora set the RELRO and PIE flags at compile time; he says several do not have these flags set in F14. I explained that this is (as far as I know) not currently a requirement for Fedora packages, so it's not something that is 'checked'. Steve says there are security benefits to using these flags for long-running executables; they are required to be used for daemons in Red Hat Enterprise, and it seems reasonable to consider the same policy for Fedora.
This is an attempt to improve the security of daemons in Fedora against unknown attacks.
These flags should be passed to gcc and ld at compile time, AIUI. Obviously, where appropriate, patches to do so should be sent upstream. As to what they do, Steve explains:
"PIE (Position Independent Executable) will cause the apps addresses to be randomized every time it starts up. This will help prevent known address attacks. RELRO causes the jump tables and relocation addresses to become readonly. Because the addresses can be randomized for PIE, there are tables that maps everything to its new address and this has to be writable when the program starts up. An attacker can potentially change these addresses to point to malicious code unless its made readonly. So, we want PIE and at least partial RELRO on all daemons. There is a performance penalty for being PIE wrt startup time. So, this is only suitable for long running programs."
Debian documents these as available hardening options but AFAICT doesn't hard require their use in any case. For relro they note "Known problems: (Common build failures, non-availability on some archs)" and for pie they note "This is especially difficult to plumb into packaging in a safe way, since it requires the executable be built with -fPIE for any .o files that are linked at the end with -pie. There is some amount of performance loss, but only due to the -fPIE, which is already true for all the linked libraries (via their -fPIC)."
This affects packages containing daemons, and of course the maintainers of those packages. Specifically, Steve identified these packages as lacking the flags in F14:
Need RELRO: crond, init, mingetty, rsyslog, udevd, xinetd Need PIE: init, mingetty, udevd, rsyslog
Adam Williamson (adamwill) and Steve Grubb (sgrubb at redhat).