[ubuntu-hardened] apache2 and hardening flags: hardening-wrapper and buildflags.mk

Seth Arnold seth.arnold at canonical.com
Tue Jan 7 02:58:11 UTC 2014


On Mon, Jan 06, 2014 at 05:52:26PM +0000, Robie Basak wrote:
> I'm preparing a merge for apache against Debian apache2 2.4.7-1. Ubuntu is
> currently at 2.4.6-2ubuntu4 in Trusty.

Thanks! There's a lot here, most of it best left to others, but I can
comment on this section here:

> # hardening-check /usr/sbin/apache2
> /usr/sbin/apache2:
>  Position Independent Executable: yes
>  Stack protected: yes
>  Fortify Source functions: yes (some protected functions found)
>  Read-only relocations: yes
>  Immediate binding: yes
> 
> # hardening-check /usr/lib/apache2/modules/mod_dav.so
> /usr/lib/apache2/modules/mod_dav.so:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: yes
>  Fortify Source functions: no, only unprotected functions found!
>  Read-only relocations: yes
>  Immediate binding: yes
> 

This is fine, it just means the tool can't come to a conclusion based on
the evidence available:
Fortify Source functions: no, only unprotected functions found!

Fortify wouldn't have anything to do anyway, this object file doesn't use
any of the wrapped functions.


> From 2.4.6-2ubuntu4:
> 
> # hardening-check /usr/sbin/apache2
> /usr/sbin/apache2:
>  Position Independent Executable: yes
>  Stack protected: yes
>  Fortify Source functions: yes (some protected functions found)
>  Read-only relocations: yes
>  Immediate binding: yes
> 
> # hardening-check /usr/lib/apache2/modules/mod_dav.so
> /usr/lib/apache2/modules/mod_dav.so:
>  Position Independent Executable: no, regular shared library (ignored)
>  Stack protected: yes
>  Fortify Source functions: no, only unprotected functions found!
>  Read-only relocations: yes
>  Immediate binding: yes


Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20140106/26586028/attachment.pgp>


More information about the ubuntu-hardened mailing list