Re: Security and PAX

[rhino64%epost.ch@localhost]

On Sun, Jun 14, 2015 at 12:57:44PM -0400, Christos Zoulas wrote:
> On Jun 14,  6:39pm, rhino64%epost.ch@localhost (rhino64%epost.ch@localhost) wrote:
> -- Subject: Re: Security and PAX
> 
> | Hi,
> | 
> | finally I have tried to use these parameters to compile pseudo statically a
> | big program (zsh) but without too much succes (the linking stage failed
> | with an error with the .RODATA segment of some libs).
> 
> Hmm, what's the error? I am wondering if there is something easy to fix.
> 
I will send you this info soon. Should I recompile Userland programs and libs 
with the parameter "-fpic".  If I remember well, it was the library 
"libtermcap" (from userland) which cannot be linked and the error 
message suggested to compile it with "-fpic".

How to do that correctly? By putting the option in "/etc/mk.conf"? But how
it works when compiling a program and not a library?
> | Probably, I will have to build static executables for some usage (mainly
> | to have executable working across many version of OS and over a long
> | period of time) and dynamic for other usages (like SSH
> | or some other services where ASLR might be important).
> 
> NetBSD binaries both static and dynamic work across all versions
> of NetBSD, so no need for static binaries. If you don't believe
> me, download NetBSD-1.0 and try to run its binaries in current.
> 
That is very nice and quite uncommon these days! But what I like with
statically linked programs is that they stay like they are forever.

With dynamically linked programs, the behaviour can change if the dynamic libraries
have evolved (even if they try to stay more or less compatible). 
Since generally, old dynamic libraries are not kept when
the system evolves (except on Windows where the DLL are a true nightmare)
statically linked program have always the same behaviour.