additional compiler hardening flags
dtucker at zip.com.au
Thu Apr 18 11:16:13 EST 2013
On Wed, Apr 17, 2013 at 04:03:11PM -0700, Iain Morgan wrote:
> Hello Darren,
> Seeing as no one has responded on the list regarding this, I wanted to
> give a brief response. I applied your proposed changes to the 6.2p1
> release and have been running it for some time now. I'm not prepared to
> comment on the individual compiler/linker options, but they seem
> reasonable at a glance.
After doing some more reading, I don't think we need -fPIC for openssh
since that's only applicable to shared libraries, and -fPIE is
sufficient for static libraries and executables.
> The only complication which I encountered was that it failed to link a
> local build of OpenSSL. Once I rebuilt OpenSSL with -fPIC, everything
> was find.
Thanks. What configuration was that? (platform/compiler/flags/openssl
version?) I tried several variations on linux (fedora, gcc 4.6.3,
openssl 1.0.1e) and it always produced a working binary.
Anyway, we could easily add a configure knob to turn it off should that
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev