some non-guru questions

thorsten fly_a320 at gmx.de
Mon Feb 14 23:45:12 PST 2005


Hello all,

some perhaps easy to answer Questions, which I was unable to figure out 
by myself reagarding the build process of HLFS / security features 
implemented:

-- Why build the packages in Chapter 5 with -pie -fpie? As I understood 
it, this makes the Executables position independent, which is good for 
security, because the position in Memory is not fixed. But the 
Executables in Ch 5 get trashed after the build, so is pie/fpie neccessary?

-- Why use seds for those -pie -fpie things, not CFLAGS='-pie -fpie' 
make ...Are there binaries/libs which must not be build with those 
options? In every Package?

-- By reading the available links/docs regarding the various security 
features implemented, it is quite hard (at least for me non guru) to 
figure out the interactions/relationships between those features. There 
are -pie -fpie -fPIE -fPIC (which are basically linker related, I 
think), the exact difference between those is kind of hard to get by 
reading the docs.
Then there is stack-protector, which I assume is independent of 
evereything else,as a feature of gcc.
Then there is Grsec and/or PaX, which I think partly overlap with each 
other: both prevent execution of code within the Stack (Heap?)[besides 
other Features]

-- using paxctl -v on binaries I get something like ----x-e--. Are this 
the flags set by default when binaries get build? ( Well, it seems so)

-- does anyone know a good text about the interaction between gcc/as/ld/ 
and the specs file, besides info gcc?

regards Thorsten Happel



More information about the hlfs-dev mailing list