[Gluster-devel] Security hardening RELRO & PIE flags

Atin Mukherjee amukherj at redhat.com
Thu Apr 2 11:44:56 UTC 2015


I've got responses from couple of folks, would also love hear from others.

~Atin

On 03/31/2015 11:49 AM, Atin Mukherjee wrote:
> Folks,
> 
> There are some projects which uses compiler/glibc features to strengthen
> the security claims. Popular distros suggest to harden daemon with
> RELRO/PIE flags. You could see [1] [2] [3]
> 
> Partial relro is when you have -Wl,-z,relro in the LDFLAGS for building
> libraries. Partial relro means that some ELF sections are reordered so
> that overflows in some likely sections don't affect others and the local
> offset table is readonly. To get full relro, you also need to have:
> -Wl,-z,bind_now added to LDFLAGS. What this does is make the Global
> Offset table and Procedure Lookup Table readonly. This takes
> some time, so its only worth it for apps that have a real possibility of
> being attacked. This would be setuid/setgid/setcap and daemons. There
> are some security critical apps that can have this too. If the apps
> likely parses files from an untrusted source (internet), then it might
> also want to have full relro.
> 
> To enable PIE, you would pass -fPIE -DPIE in the CFLAGS and -pie in the
> LDFLAGS. What PIE does is randomize the locations of important items
> such as the base address of an executable and position of libraries,
> heap, and stack, in a process's address space. Sometimes this is called
> ASLR. Its designed to make buffer/heap overflow, return into libc
> attacks much harder. Part of the way it does this is to make a new
> section in the ELF image that is writable to redirect function calls to
> the correct address (offsets). This has to be writable because each
> invocation will have different layouts and needs to be fixed up. So,
> when you have an application with PIE, you want full relro so that
> these sections become readonly and not part of an attacker's target areas.
> 
> I would like to hear from the community whether we should introduce
> these hardening flags in glusterfs as well.
> 
> [1] https://fedorahosted.org/fesco/ticket/563
> [2] https://wiki.debian.org/Hardening
> [3] https://wiki.ubuntu.com/Security/Features#relro
> 

-- 
~Atin


More information about the Gluster-devel mailing list