Summary: | net-misc/openssh: add USE=pie to control PIE support | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | David Kredba <kredba> |
Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, hardened |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 507434 | ||
Attachments: |
config.log.gz
build.log.gz |
Description
David Kredba
2014-03-16 07:36:33 UTC
Created attachment 372794 [details]
config.log.gz
Created attachment 372796 [details]
build.log.gz
i think you misread things. you gave ssh.i as an input and that needs -fPIE. the openssh build system doesn't do that -- it compiles everything with -fPIE and links with -pie. The problem for me is that I want to use LTO. But do not want -fPIE system wide which would be impossible. So do not have -fPIE in CFLAGS nor in LDFLAGS. Openssh configure is nice and does: checking if x86_64-pc-linux-gnu-gcc supports compile flag -fPIE... yes checking if x86_64-pc-linux-gnu-gcc supports link flag -pie... yes checking whether both -fPIE and -pie are supported... yes and then it forces -fPIE to compilation but not to link time. Example, -fPIE is in use: x86_64-pc-linux-gnu-gcc -flto=4 -fuse-linker-plugin -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib64/misc/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib64/misc/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib64/misc/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib64/misc/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sftp-glob.c And here it is not: x86_64-pc-linux-gnu-gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o sandbox-capsicum.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lwrap -lpam -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o ssh-add ssh-add.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread x86_64-pc-linux-gnu-gcc -o ssh-keygen ssh-keygen.o -L. -Lopenbsd-compat/ -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -flto=4 -fuse-linker-plugin -Wl,--as-needed -Wl,-O2 -Wl,-flto -O2 -ggdb -pipe -march=core2 -mtune=core2 -mno-3dnow -mno-sse4.2 -mno-avx -pie -lssh -lopenbsd-compat -lssl -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv -lpthread /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0-alpha20140317/../../../../x86_64-pc-linux-gnu/bin/ld: /var/tmp/portage/net-misc/openssh-6.6_p1/temp/ccBEpZqG.ltrans1.ltrans.o: relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /var/tmp/portage/net-misc/openssh-6.6_p1/temp/ccBEpZqG.ltrans1.ltrans.o: error adding symbols: Bad value collect2: error: ld returned 1 exit status So I have to add it to LDFLAGS by hand. I was thinking that it would be nice if ebuild could do it for me to add -fPIE to link command if LTO is detected. Thank you. (In reply to David Kredba from comment #4) again, i think you read the comment in the upstream report wrong. they didn't say "you need to always use -fPIE when linking", they said "in the command you posted where you attempted to *compile and link in one command*, you need to use -fPIE". it is not impossible to do system-wide PIE support ... we already do this w/the hardened project. Thank you. You are right that they said this. And I only said that I do not want -fpie system wide (and was wrong that it is impossible). So I asked if maintainer can think about to include it in build logic or not. My "solution" is to have opennsh.conf file in /etc/portage/env.d and enable its usege in portage.env file. the current openssh logic for PIE isn't optional. we probably should it behind USE=pie (but default it to on). should be all set now in the tree; thanks for the report! Commit message: Add USE=pie to control building sshd as a PIE http://sources.gentoo.org/net-misc/openssh/openssh-6.6.1_p1-r4.ebuild?r1=1.1&r2=1.2 |