While is good have stack-protector in packages like this, it does not respect the stack-protection of the user: # checksec --file /usr/sbin/sshd RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH Yes 11 23 /usr/sbin/sshd My CFLAGS: CFLAGS="-O2 -march=x86-64 -msse4.2 -fno-stack-protector" net-misc/openssh-7.3_p1-r7::gentoo was built with the following: USE="hpn pam pie ssl -X -X509 -bindist -debug -kerberos -ldap -ldns -libedit (-libressl) -livecd -sctp (-selinux) -skey -ssh1 -static -test" ABI_X86="64"
Created attachment 566546 [details, diff] proposed patch Would need revbump though.
Thanks for the patch..but I think it will not work with some stack-protector settings. It think is fine modify the buildsystem to let the user cflags after the default.
(In reply to Agostino Sarubbo from comment #2) > Thanks for the patch..but I think it will not work with some stack-protector > settings. The patch should disable openssh's logic to add any stack-protector flag. What do you think at here? > It think is fine modify the buildsystem to let the user cflags after the > default. Just found the configure flags --with-cflags-after and --with-ldflags-after. However, these are evaluated after running the configure checks...
(In reply to Michael Haubenwallner from comment #3) > (In reply to Agostino Sarubbo from comment #2) > > Thanks for the patch..but I think it will not work with some stack-protector > > settings. > > The patch should disable openssh's logic to add any stack-protector flag. > What do you think at here? > > > It think is fine modify the buildsystem to let the user cflags after the > > default. > > Just found the configure flags --with-cflags-after and --with-ldflags-after. > However, these are evaluated after running the configure checks... While it covers the scope, I guess it won't work if user would use something different than -fstack-protector-all (e.g. fstack-protector-strong) so the better thing to do here might be just change the order of default flags vs user flags, where user flags are the latest
Since nowadays the current toolchain uses -fstack-protector-strong, all we have to do is to use --without-stackprotect Basically we are doing the same with --without-hardening: https://github.com/gentoo/gentoo/blob/be46888368631cff17aebdec768f78e3ffae186d/net-misc/openssh/openssh-9.6_p1-r3.ebuild#L180