[Gluster-devel] Security hardening RELRO & PIE flags

Niels de Vos ndevos at redhat.com
Thu Apr 2 13:08:01 UTC 2015 

On Thu, Apr 02, 2015 at 01:21:57PM +0100, Justin Clift wrote:
> On 31 Mar 2015, at 08:15, Niels de Vos <ndevos at redhat.com> wrote:
> > On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote:
> >> IMHO, doing hardening and security should be left the individual
> >> distributions and the package maintainers. Generally, each distribution has
> >> it's own policies with regards to hardening and security. We as an upstream
> >> project cannot decide on what a distribution should do. But we should be
> >> ready to fix bugs that could arise when distributions do hardened builds.
> >> 
> >> So, I vote against having these hardening flags added to the base GlusterFS
> >> build. But we could add the flags the Fedora spec files which we carry with
> >> our source.
> > 
> > Indeed, I agree that the compiler flags should be specified by the
> > distributions. At least Fedora and Debian do this already include
> > (probably different) options within their packaging scripts. We should
> > set the flags we need, but not more. It would be annoying to set default
> > flags that can conflict with others, or which are not (yet) available on
> > architectures that we normally do not test.
> 
> First thoughts: :)
> 
>   * We provide our own packaging scripts + distribute rpms/deb's from our
>     own site too.
> 
>     Should we investigate/try these flags out for the packages we build +
>     supply?

At least for the RPMs, we try to follow the Fedora guidelines and their
standard flags. With recent Fedora releases this includes additional
hardening flags.

>   * Are there changes in our code + debugging practises that would be needed
>     for these security hardening flags to work?
> 
>     If there are, and we don't make these changes ourselves, doesn't that
>     mean we're telling distributions they need to carry their own patch set
>     in order to have a "more secure" GlusterFS?

We have received several patches from the Debian maintainer that improve
the handling of these options. When maintainers for distrubutions build
GlusterFS and require changes, they either file bugs and/or send
patches. I think this works quite well.

Niels

More information about the Gluster-devel mailing list