[ubuntu-hardened] Missing some hardening flags for a few apps.
Jamie Strandboge
jamie at canonical.com
Fri Nov 30 18:00:13 UTC 2012
On 11/30/2012 08:49 AM, daniel curtis wrote:
> Hello,
>
> I have noticed, that a few applications[1] in Xubuntu does not have
> enabled/set,
> for example, a Position Independent Executable, Fortify Source functions or
> Immediate binding. All of these options are marked as: no, not found! or
> no, normal executable!
>
> I would like to ask if it is a normal and it is done specifically?
>
This is normal. Fortify source should be enabled in all builds unless it
is explicitly turned off. However, if the examined binary doesn't use
any of the functions that would benefit from fortify source, then the
reporting tool can't determine if it was compiled with fortify source or
not.
As for PIE and BIND_NOW, these are disabled by default and opt-in for
packages that want them. The reason PIE is like this is because it can
introduce a performance penalty on some architectures like i386. I don't
recall why BIND_NOW is off by default-- presumably for the same reason
(maybe someone else on the list can comment). See our wiki[1] for more
details.
If there are packages that you feel would benefit from enabling PIE,
then I suggest filing a bug against the package with `ubuntu-bug <pkg>`.
[1]https://wiki.ubuntu.com/Security/Features
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20121130/c09b2567/attachment.pgp>
More information about the ubuntu-hardened
mailing list