Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at

To: Niels Thykier <niels@thykier.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
From: Jose M Calhariz <jose.calhariz@tecnico.ulisboa.pt>
Date: Thu, 30 Jun 2016 16:31:43 +0100
Message-id: <[🔎] 20160630153143.GA9982@calhariz.com>
In-reply-to: <[🔎] 001679a3-aa2a-94dd-b425-aefe92e46aff@thykier.net>
References: <[🔎] 20160630144218.GA32468@calhariz.com> <[🔎] 001679a3-aa2a-94dd-b425-aefe92e46aff@thykier.net>

On Thu, Jun 30, 2016 at 02:59:39PM +0000, Niels Thykier wrote:
> Jose M Calhariz:
> > Hi,
> > 
> > I am investigating why I can turn off the lintian information
> > hardening-no-fortify-functions.  In the beginning of my debian/rules I
> > have:
> > 
> > export DEB_BUILD_MAINT_OPTIONS=hardening=+all
> > 
> > What I am doing wrong?
> > How can I debug if the hardening is really on the binaries?
> > 
> > The complete lintian messages from at package is:
> > 
> > lintian -I --pedantic at_3.1.20-1_amd64.changes 
> > P: at source: debian-watch-may-check-gpg-signature
> > I: at: hardening-no-fortify-functions usr/bin/at
> > I: at: hardening-no-fortify-functions usr/sbin/atd
> > N: 4 tags overridden (4 warnings)
> > 
> > 
> 
> Hi Jose,
> 
> Please verify that the CPPFLAGS are passed to the compiler (a lot of
> build systems fail to pass exactly CPPFLAGS on).  The general
> recommendation is to use "blhc" for this purpose.
> 
> If you pass CPPFLAGS on correctly, then there is nothing more you can
> do.  There are some known false-positives (the actual tool checking is
> "hardening-check"), which cannot be fixed.  You may want to override the
> tags if this is the case.
>

hardening-check at atd
at:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes
atd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

I think from this and:

gcc -c -I. -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -DHAVE_CONFIG_H -DVERSION=\"3.1.19\" -DETCDIR=\"/etc\" -DLOADAVG_MX=1.5 -DDAEMON_USERNAME=\"daemon\" -DDAEMON_GROUPNAME=\"daemon\" -DLFILE=\"/var/spool/cron/atjobs/.SEQ\" -Wall at.c

The flags are enabled and most protections are in place, right?

Is this a false positive?

> Thanks,
> ~Niels
> 
> 
>

Kind regards
Jose M Calhariz

-- 
--

Por açúcar nas feridas é tão ruim quanto pôr sal

--Yevgeny Yevtushenko

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
  - From: Simon McVittie <smcv@debian.org>

References:
- Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
  - From: Jose M Calhariz <jose.calhariz@tecnico.ulisboa.pt>
- Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#829098: ITP: google-android-ndk-installer -- This is a packaged script that automatically downloads Google Android NDK package and unpacks it into Debian-friendly paths.
Next by Date: Bug#829107: ITP: wireguard -- fast, modern, secure kernel VPN tunnel
Previous by thread: Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
Next by thread: Re: Can not disable lintian Information hardening-no-fortify-functions usr/bin/at
Index(es):
- Date
- Thread