Re: Security and PAX

[rhino64%epost.ch@localhost]

On Sun, Jun 07, 2015 at 04:14:20PM +0000, Christos Zoulas wrote:
> 1,2,3,4 pie...
> 
> $ cc -fpie -Wl,-pie pie.c
> $ paxctl +A ./a.out
> # sysctl -w security.pax.aslr.enable=1
> $ ./a.out
> 
> christos

Yes with your command ("cc -fpie -Wl,-pie pie.c"), it works. 

However, when compiled statically the link stage fails (as you can see).
--------------------------------------------------------------------
virtualisation# cc -fpie -Wl,-pie -Wl,-static -fPIC testASLR.c
ld: /usr/lib/libc.a(tls.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/lib/libc.a: could not read symbols: Bad value
--------------------------------------------------------------------

Is it possible to compile a program fully statically and use PIE?

My goal when compiling important programs statically 
is to avoid getting dynamic libraries everywhere in the
system and not finding them (this will not happen immediately but after
few months of use or in special conditions like the single user mode).

If a fully statically linked programme is not possible,
I can live with the libc dynamically linked (since without it
not much will work in the system). I would prefer however to have
evrything statically linked to be certain to have always the same behaviour
over the time.

An other question: is cc and gcc the same compiler under NetBSD 6.1.5?

Thanks for your help,

kind regards,