freeipa

Clone
Source Code
GIT

#4010 Remove minor issues in ipa.spec
Closed: Fixed None Opened 10 years ago by mkosek.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1026260

Description of problem:
ipa.spec analysis uncovered several issues that we should either mark as false
positives or fix:

1) % sign not properly escaped in a changelog:
   spec: - Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf
   rpm : - Add (noreplace) flag for \/etc/tmpfiles.d/ipa.conf

We should replace "\%" with "%%"

2) /usr/libexec/ipa-otpd: daemon file compiled with only partial RELRO (should
be full)

3) Unowned mid-level directory: /usr/share/ipa/ui/js

4) Missing man pages for %config files:
- /etc/ipa/html/browserconfig.html
- /etc/ipa/html/ffconfig.js
- /etc/ipa/html/ffconfig_page.js
- /etc/ipa/html/ipa_error.css
- /etc/ipa/html/ssbrowser.html
- /etc/ipa/html/unauthorized.html
- /etc/sysconfig/ipa_memcached
- /etc/tmpfiles.d/ipa.conf

We should either mark as false positive or remove %config (or write the man
page)

I talked to jhrozek, we may be able to fix 2) just with following macro in spec file (as SSSD does it):

%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
%endif

I tested this macro, but the binary still reports that relro is not enabled:

# hardening-check --color --verbose /usr/libexec/ipa-otpd
/usr/libexec/ipa-otpd:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
    unprotected: gethostname
    unprotected: read
    protected: vfprintf
    protected: asprintf
    protected: memcpy
    protected: fprintf
 Read-only relocations: yes
 Immediate binding: no, not found!   <---

Would anyone CCed know a way how to enable it? I am thinking we would want to enable full relro for ipa-otpd only anyway - it should not be needed for DS libraries and similar.

Can you check the CFLAGS? Do you see something like -Wl,-z,relro there?

I saw this:

Making all in ipa-otpd
make[4]: Entering directory `/root/freeipa-master/rpmbuild/BUILD/freeipa-3.3.3GIT95d38a8/daemons/ipa-otpd'
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT bind.o -MD -MP -MF .deps/bind.Tpo -c -o bind.o bind.c
mv -f .deps/bind.Tpo .deps/bind.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT forward.o -MD -MP -MF .deps/forward.Tpo -c -o forward.o forward.c
mv -f .deps/forward.Tpo .deps/forward.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT main.o -MD -MP -MF .deps/main.Tpo -c -o main.o main.c
mv -f .deps/main.Tpo .deps/main.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT parse.o -MD -MP -MF .deps/parse.Tpo -c -o parse.o parse.c
mv -f .deps/parse.Tpo .deps/parse.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT query.o -MD -MP -MF .deps/query.Tpo -c -o query.o query.c
mv -f .deps/query.Tpo .deps/query.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT queue.o -MD -MP -MF .deps/queue.Tpo -c -o queue.o queue.c
mv -f .deps/queue.Tpo .deps/queue.Po
gcc -DHAVE_CONFIG_H -I. -I..   -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -MT stdio.o -MD -MP -MF .deps/stdio.Tpo -c -o stdio.o stdio.c
mv -f .deps/stdio.Tpo .deps/stdio.Po
/bin/sh ../libtool  --tag=CC   --mode=link gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic  -DWITH_OPENLDAP -I/usr/include/nspr4   -I/usr/include/nss3 -I/usr/include/nspr4   -DUSE_OPENLDAP   -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic   -llber -lldap_r -lverto   -lkrad  -o ipa-otpd bind.o forward.o main.o parse.o query.o queue.o stdio.o  -lkrad -lkrb5 
libtool: link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DWITH_OPENLDAP -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/nspr4 -DUSE_OPENLDAP -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -o ipa-otpd bind.o forward.o main.o parse.o query.o queue.o stdio.o  -llber -lldap_r -lverto -lkrad -lkrb5
make[4]: Leaving directory `/root/freeipa-master/rpmbuild/BUILD/freeipa-3.3.3GIT95d38a8/daemons/ipa-otpd'

About the flags, you need to make sure that redhat-rpm-config is installed on the machine you test with because that's where the /usr/lib/rpm/redhat/redhat-hardened-cc1 file comes from and that file contains the compiler and/or linker flags that actually produce the hardened build:

$ cat /usr/lib/rpm/redhat/redhat-hardened-cc1
*cc1_options:
+ %{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}

Same with /usr/lib/rpm/redhat/redhat-hardened-ld for the linker.

I'm not familiar with the hardening check tool, but I think the most reliable way is to just use readelf. Using SSSD as example, check for full RELRO:

`readelf -d /usr/sbin/sssd | grep BIND_NOW`

Check for PIE:

readelf -h /usr/sbin/sssd | grep Type
  Type:                              DYN (Shared object file)

Without PIE, the binary would say Type: EXEC (Executable file)

master:[[BR]]
db3e450 Own /usr/share/ipa/ui/js/ in the spec file.[[BR]]
652c4e6 Use hardening flags for ipa-optd.[[BR]]

ipa-3-3:[[BR]]
ca4e976 Own /usr/share/ipa/ui/js/ in the spec file.[[BR]]
73ada2b Use hardening flags for ipa-optd.[[BR]]

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.x - 2013/11 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1026260
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.