[ubuntu-hardened] Probably not in time for Hardy, but just maybe...

Kees Cook kees at ubuntu.com
Thu Mar 27 23:45:15 GMT 2008

On Thu, Mar 27, 2008 at 04:27:58PM -0700, Jeff Schroeder wrote:
> Is there a sane way to get the compile flags without having every
> single source archive in the repository to see what is PIE and whats
> not?

I outlined[1] a few of the ways to see the effects of compile flags, but
some (-Wformat) don't show up since they're entirely preprocessor, and
some are hard to see (-D_FORTIFY_SOURCE=2) since it just looks like a
program never uses any unbounded functions.

In the case of PIE, it's pretty easy -- if "file" shows it as "shared
object" and it's not named ".so", it's almost certainly compiled with

> Is avahi on that list? Even with a chroot, it worries me that it is
> installed and listening by default.

Doesn't look like it:
$ file /usr/sbin/avahi-daemon
/usr/sbin/avahi-daemon: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), for GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped

I wouldn't worry about avahi -- it has virtually no privs and is stuffed
in a chroot.  :)


[1] http://wiki.debian.org/Hardening

Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list