Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Hi Macros,
On Wed, Sep 03, 2025 at 12:38:28PM +0200, Marcos Del Sol Vives wrote:
> I am surprised that bare "-fcf-protection" was enabled by default on Trixie,
> as that enables both shadow stacks (supported in user mode, actually
> protecting users with zero size overhead) and IBT (not supported in
> user-mode, doing nothing but increasing thus the size of all binaries)
It also is enabled in forky/sid. While we somewhat disagree on the
importance of old i386 hardware on this matter, would you mind
additionally questioning the usefulness of -fcf-protection (=full) as
opposed to -fcf-protection=return to the project? I suggest that you
report a wishlist bug against dpkg-dev (which contains our default build
flags) and X-Debbugs-Cc: debian-devel@lists.debian.org to try to change
this for unstable.
Let me also note that Ubuntu sets -fcf-protection=none on amd64. The
original bug adding -fcf-protection is #1021292. According to Wookey,
RedHat enterprise sets -fcf-protection since 2018.
> Enabling "-fcf-protection=return" for Trixie which compiles with only
> shadow stacks would have resulted in smaller binaries with the same level
> of protection (and also would fix the issue with "sudo" for these i686).
This feels like a rather convincing case for changing our distribution
default from -fcf-protection (with implied value "full") to
-fcf-protection=return.
One of Marc's complaints is that removing the flag could lower security.
Now you indicate that removing "half" of the flag would be sufficient
for your cause and that the other half could still have a positive
effect.
Beware that we will also take the affected user base and timeline into
account. Even if the TC ends up agreeing with the technical presentation
given, we may still favour not changing sudo in bookworm given an
expectation of this affecting too few relevant machines and users.
Helmut
Reply to: