more compiler safety flags

Damien Miller djm at mindrot.org
Fri Dec 21 15:42:45 EST 2012


On Fri, 21 Dec 2012, Darren Tucker wrote:

> Anyone see any reason not to add these extra compiler/linker flags if
> they're supported?

I think the risk is that some of these features need crt0/ld.so assistance
to work that might be absent, causing the programs to link but fail to
execute. Is this a problem in practice? I have no idea :) I'm not opposed
to you committing this diff while we are still in development mode to help
find out though.

> +	OSSH_CHECK_CFLAG_COMPILE([-fPIC])

Isn't fPIE more usual?

> +	OSSH_CHECK_LDFLAG_LINK([-pie])
> +	OSSH_CHECK_LDFLAG_LINK([-Wa,--noexecstack])
> +	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
> +	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])


More information about the openssh-unix-dev mailing list