484214 – net-misc/openssh : enhance the security with -fpie

Bug 484214 - net-misc/openssh : enhance the security with -fpie

Summary: net-misc/openssh : enhance the security with -fpie

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal enhancement
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-09-08 10:58 UTC by Agostino Sarubbo
Modified:	2013-09-12 20:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-09-08 10:58:19 UTC

I just noticed that our sshd in the default profile appears as ET_EXEC while in the distros like debian/fedora appears as ET_DYN.

Since it is a common service I just wondering if we can enhance the security with PIE. I just compiled it with "-fPIE -pie" and it works fine. Opinions?

Comment 1 Markos Chandras (RETIRED) gentoo-dev

2013-09-08 11:07:15 UTC

I am not in favor of applying -fPIE to selected packages. Whoever needs this extra level of "security" should use hardened or adjust his per-package CFLAGS in /etc/portage.

Comment 2 Agostino Sarubbo gentoo-dev

2013-09-08 11:12:04 UTC

(In reply to Markos Chandras from comment #1)
> I am not in favor of applying -fPIE to selected packages. Whoever needs this
> extra level of "security" should use hardened or adjust his per-package
> CFLAGS in /etc/portage.

unfortunately not all people can use the entire hardened profiles/sources and not all are security expert. They just trust what we 'give'.

Comment 3 Denis M. (Phr33d0m) 2013-09-08 11:23:57 UTC

(In reply to Agostino Sarubbo from comment #2)
> and not all are security expert. They just trust what we 'give'.

I agree.

Comment 4 Doug Goldstein (RETIRED) gentoo-dev

2013-09-08 15:49:00 UTC

Honestly, I've kind of felt that PIE should be enabled by default and selectively disabled by package maintainers when it doesn't work. Its something that many distros ship with on default.

I wouldn't be opposed to enabling it in OpenSSH.

Comment 5 Tolga Dalman 2013-09-08 16:02:39 UTC

While I agree this should be done for openssh (and perhaps other selected ebuilds), -fPIE shouldn't be set to default for all packages unconditionally.

Comment 6 Agostino Sarubbo gentoo-dev

2013-09-08 17:22:20 UTC

(In reply to Doug Goldstein from comment #4)
> Honestly, I've kind of felt that PIE should be enabled by default and
> selectively disabled by package maintainers when it doesn't work. Its
> something that many distros ship with on default.

I don't agree. -fPIE causes slowness, so the old machine have a regression of the performance

(In reply to Tolga Dalman from comment #5)
> While I agree this should be done for openssh (and perhaps other selected
> ebuilds), -fPIE shouldn't be set to default for all packages unconditionally.

I agree, I will open a bugs for the most important/used ebuilds

Comment 7 SpanKY gentoo-dev

2013-09-12 20:23:44 UTC

we're not going to do this on a maintainer-by-maintainer basis.  hash out a policy on gentoo-dev first, and then we'll see about updating packages.

example: add USE=pie flag (default to on for most profiles) which is used to control building of network or set*id (or USE=fcaps) programs only as PIEs.

not all C libraries or architectures support PIE, so doing it for everyone is broken.