some non-guru questions
fly_a320 at gmx.de
Mon Feb 14 23:45:12 PST 2005
some perhaps easy to answer Questions, which I was unable to figure out
by myself reagarding the build process of HLFS / security features
-- Why build the packages in Chapter 5 with -pie -fpie? As I understood
it, this makes the Executables position independent, which is good for
security, because the position in Memory is not fixed. But the
Executables in Ch 5 get trashed after the build, so is pie/fpie neccessary?
-- Why use seds for those -pie -fpie things, not CFLAGS='-pie -fpie'
make ...Are there binaries/libs which must not be build with those
options? In every Package?
-- By reading the available links/docs regarding the various security
features implemented, it is quite hard (at least for me non guru) to
figure out the interactions/relationships between those features. There
are -pie -fpie -fPIE -fPIC (which are basically linker related, I
think), the exact difference between those is kind of hard to get by
reading the docs.
Then there is stack-protector, which I assume is independent of
evereything else,as a feature of gcc.
Then there is Grsec and/or PaX, which I think partly overlap with each
other: both prevent execution of code within the Stack (Heap?)[besides
-- using paxctl -v on binaries I get something like ----x-e--. Are this
the flags set by default when binaries get build? ( Well, it seems so)
-- does anyone know a good text about the interaction between gcc/as/ld/
and the specs file, besides info gcc?
regards Thorsten Happel
More information about the hlfs-dev