Re: Bits from dpkg developers - dpkg 1.16.1
Le Tue, Sep 27, 2011 at 06:01:54PM -0700, Kees Cook a écrit :
> On Fri, Sep 23, 2011 at 08:17:54AM +0200, Raphael Hertzog wrote:
> > Two hardening features are not enabled by default: PIE and bindnow.
> > If your package supports PIE, you might want to consider enabling it.
> > If the binaries are long running processes like daemons, and as such
> > the startup performance penalty of “bindnow” is acceptable, it might
> > be a good idea to enable it too but only if relro is in effect,
> > although another option might be to just define LD_BIND_NOW=1 on the
> > daemon's environment (for example in the init.d script), in which case
> > the sysadmin can always disable it, something that's not possible with
> > the build option.
>
> Just to be explicit, PIE tends to have small (<1%) performance hits on
> register-starved architectures (i386) in most cases, for for certain work
> loads (e.g. python) the hit is large (~15%). On architectures with plenty
> of registers (amd64) there's virtually no measurable performance hit that
> I've seen.
By the way – and please pardon me if it is a too naive question – does this
recommendation of building packages with PIE when possible make obsolete the
recommendation of Policy's §10.2 to not build static libraries with -fPIC ?
http://www.debian.org/doc/debian-policy/ch-files.html#s-libraries
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: