Re: Bits from dpkg developers - dpkg 1.16.1
On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote:
> On Sep 23, Raphael Hertzog <hertzog@debian.org> wrote:
>
> > Two hardening features are not enabled by default: PIE and bindnow.
> Why?
I guess because they have more impact on performance than the others.
> > If your package supports PIE, you might want to consider enabling it.
> > If the binaries are long running processes like daemons, and as such
> > the startup performance penalty of “bindnow” is acceptable, it might
> > be a good idea to enable it too but only if relro is in effect,
> > although another option might be to just define LD_BIND_NOW=1 on the
> > daemon's environment (for example in the init.d script), in which case
> > the sysadmin can always disable it, something that's not possible with
> > the build option.
> I believe that developers would benefit from more detailed
> recommendations.
> In other words, just say clearly who should enable these features (and
> why).
It has already been discussed here, and there are already pages describing
it and people commited to help in this goal being reach for the next release.
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
http://anonscm.debian.org/viewvc/secure-testing/hardening/
bert.
Reply to: