Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62674 - Verify linker flags of suids ( Strict Security QA )
Summary: Verify linker flags of suids ( Strict Security QA )
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Portage team
Keywords: InVCS
Depends on:
Reported: 2004-09-02 18:02 UTC by solar (RETIRED)
Modified: 2004-10-22 08:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments (,1.41 KB, patch)
2004-09-02 18:03 UTC, solar (RETIRED)
Details | Diff (,1.16 KB, patch)
2004-09-04 10:11 UTC, solar (RETIRED)
Details | Diff
'readelf -d' of suid binary: 'append-ldflags -Wl,-z,now' (satya_suid_readelf.txt,1.22 KB, text/plain)
2004-09-07 01:24 UTC, Christian Andreetta (RETIRED)
Details (,1.17 KB, patch)
2004-09-08 19:21 UTC, solar (RETIRED)
Details | Diff (,827 bytes, patch)
2004-09-30 19:46 UTC, solar (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description solar (RETIRED) gentoo-dev 2004-09-02 18:02:07 UTC
As per user comments on distribution of security fixes

This change will require all developers to make sure all objects have non-lazy runtime bindings.
Comment 1 solar (RETIRED) gentoo-dev 2004-09-02 18:03:17 UTC
Created attachment 38789 [details, diff]

Patch for
Comment 2 solar (RETIRED) gentoo-dev 2004-09-04 10:11:46 UTC
Created attachment 38917 [details, diff]

Round #2
 We ignore static executables now.
 We no longer incr the UNSAFE variable in order to give developers ample time
to update ebuilds.
 I removed an extra block of code I had in the first patch which was only ment
to be in my local copy.
Comment 3 Christian Andreetta (RETIRED) gentoo-dev 2004-09-06 02:22:35 UTC
i tried to apply the 'append-ldflags -Wl,-z,now' instruction, but the binary contains only the flag 'NOW', not 'BIND_NOW'. The ld man page says that's the same (i think ;) ), but (obvoiusly) the 'egrep "(FLAGS)(.*)BIND_NOW"' doesn't recognize it...
Am I missing something or this could be spelled 'egrep "(FLAGS)(.*)NOW"' also?
PS: gcc-3.3.4, libtool-1.5.2-r5
Comment 4 solar (RETIRED) gentoo-dev 2004-09-06 07:11:14 UTC
Could you please post the output of. 

readelf -d $binary 
Comment 5 Christian Andreetta (RETIRED) gentoo-dev 2004-09-07 01:24:34 UTC
Created attachment 39116 [details]
'readelf -d' of suid binary: 'append-ldflags -Wl,-z,now'

flags at 'FLAGS_1' position were made by the '-Wl,-z,now' gcc opt.
'/usr/bin/ld', in my system, belongs to packages binutils, nasm, openldap,
bin86 and glibc, in this install order (as for /var/log/emerge.log)
Comment 6 solar (RETIRED) gentoo-dev 2004-09-07 05:50:06 UTC
I'm using.
readelf -v | head -n1 
GNU readelf 20040303

With GNU readelf 20040114
it looks like we will have to use 
| egrep '\(FLAGS(.*)NOW'
I'll update the patch later today.
Comment 7 solar (RETIRED) gentoo-dev 2004-09-08 19:21:19 UTC
Created attachment 39232 [details, diff]

Update. This should work with all known revisions of binutils now.
Comment 8 Nicholas Jones (RETIRED) gentoo-dev 2004-09-08 21:30:42 UTC
Comment 9 solar (RETIRED) gentoo-dev 2004-09-30 19:46:45 UTC
Created attachment 40828 [details, diff]

Attached is an update to the QA notice. It now shifts the notice from targeted
at developers to users who are soon to be seeing the msg and opening bugs with
respective maintainers who have missed it up to this point. 
Current portage release is sys-apps/portage-2.0.51_rc6
Comment 10 Kathy Wills 2004-10-16 13:26:10 UTC
I thought according to this the developers were supposed to do something about this. What happens when the developer refuses to do anything about the problem as  is the case with this bug: 
Comment 11 solar (RETIRED) gentoo-dev 2004-10-16 14:16:14 UTC
donnie is not refusing todo anything about it. The facts are that xorg itself won't function properly with said flag. Xorg devs already know this and even coded special work arounds
Comment 12 Kathy Wills 2004-10-16 14:36:00 UTC
Then can something be done to stop the qa message about xorg? Maybe I'm understanding things wrong when I read the that in a certain period of time it will be or can be marked as unsafe and will not build. Of course this has not happened yet, but I don't want it to happen.
Comment 13 SpanKY gentoo-dev 2004-10-16 14:38:28 UTC
just because the problem is known doesnt mean we can ignore it

it serves as a remainder for now
Comment 14 Nicholas Jones (RETIRED) gentoo-dev 2004-10-22 08:48:08 UTC
Bug has been fixed and released in stable portages on or before 2.0.51-r2