Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1026260
Description of problem: ipa.spec analysis uncovered several issues that we should either mark as false positives or fix: 1) % sign not properly escaped in a changelog: spec: - Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf rpm : - Add (noreplace) flag for \/etc/tmpfiles.d/ipa.conf We should replace "\%" with "%%" 2) /usr/libexec/ipa-otpd: daemon file compiled with only partial RELRO (should be full) 3) Unowned mid-level directory: /usr/share/ipa/ui/js 4) Missing man pages for %config files: - /etc/ipa/html/browserconfig.html - /etc/ipa/html/ffconfig.js - /etc/ipa/html/ffconfig_page.js - /etc/ipa/html/ipa_error.css - /etc/ipa/html/ssbrowser.html - /etc/ipa/html/unauthorized.html - /etc/sysconfig/ipa_memcached - /etc/tmpfiles.d/ipa.conf We should either mark as false positive or remove %config (or write the man page)
I talked to jhrozek, we may be able to fix 2) just with following macro in spec file (as SSSD does it):
%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) %define _hardened_build 1 %endif
I tested this macro, but the binary still reports that relro is not enabled:
# hardening-check --color --verbose /usr/libexec/ipa-otpd /usr/libexec/ipa-otpd: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) unprotected: gethostname unprotected: read protected: vfprintf protected: asprintf protected: memcpy protected: fprintf Read-only relocations: yes Immediate binding: no, not found! <---
Would anyone CCed know a way how to enable it? I am thinking we would want to enable full relro for ipa-otpd only anyway - it should not be needed for DS libraries and similar.
Can you check the CFLAGS? Do you see something like -Wl,-z,relro there?
-Wl,-z,relro
I saw this:
Making all in ipa-otpd make[4]: Entering directory `/root/freeipa-master/rpmbuild/BUILD/freeipa-3.3.3GIT95d38a8/daemons/ipa-otpd' gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT bind.o -MD -MP -MF .deps/bind.Tpo -c -o bind.o bind.c mv -f .deps/bind.Tpo .deps/bind.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT forward.o -MD -MP -MF .deps/forward.Tpo -c -o forward.o forward.c mv -f .deps/forward.Tpo .deps/forward.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT main.o -MD -MP -MF .deps/main.Tpo -c -o main.o main.c mv -f .deps/main.Tpo .deps/main.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT parse.o -MD -MP -MF .deps/parse.Tpo -c -o parse.o parse.c mv -f .deps/parse.Tpo .deps/parse.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT query.o -MD -MP -MF .deps/query.Tpo -c -o query.o query.c mv -f .deps/query.Tpo .deps/query.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT queue.o -MD -MP -MF .deps/queue.Tpo -c -o queue.o queue.c mv -f .deps/queue.Tpo .deps/queue.Po gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT stdio.o -MD -MP -MF .deps/stdio.Tpo -c -o stdio.o stdio.c mv -f .deps/stdio.Tpo .deps/stdio.Po /bin/sh ../libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -llber -lldap_r -lverto -lkrad -o ipa-otpd bind.o forward.o main.o parse.o query.o queue.o stdio.o -lkrad -lkrb5 libtool: link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -o ipa-otpd bind.o forward.o main.o parse.o query.o queue.o stdio.o -llber -lldap_r -lverto -lkrad -lkrb5 make[4]: Leaving directory `/root/freeipa-master/rpmbuild/BUILD/freeipa-3.3.3GIT95d38a8/daemons/ipa-otpd'
About the flags, you need to make sure that redhat-rpm-config is installed on the machine you test with because that's where the /usr/lib/rpm/redhat/redhat-hardened-cc1 file comes from and that file contains the compiler and/or linker flags that actually produce the hardened build:
redhat-rpm-config
/usr/lib/rpm/redhat/redhat-hardened-cc1
$ cat /usr/lib/rpm/redhat/redhat-hardened-cc1 *cc1_options: + %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}
Same with /usr/lib/rpm/redhat/redhat-hardened-ld for the linker.
/usr/lib/rpm/redhat/redhat-hardened-ld
I'm not familiar with the hardening check tool, but I think the most reliable way is to just use readelf. Using SSSD as example, check for full RELRO:
`readelf -d /usr/sbin/sssd | grep BIND_NOW`
Check for PIE:
readelf -h /usr/sbin/sssd | grep Type Type: DYN (Shared object file)
Without PIE, the binary would say Type: EXEC (Executable file)
Type: EXEC (Executable file)
master:[[BR]] db3e450 Own /usr/share/ipa/ui/js/ in the spec file.[[BR]] 652c4e6 Use hardening flags for ipa-optd.[[BR]]
ipa-3-3:[[BR]] ca4e976 Own /usr/share/ipa/ui/js/ in the spec file.[[BR]] 73ada2b Use hardening flags for ipa-optd.[[BR]]
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.3.x - 2013/11 (bug fixing)
Login to comment on this ticket.