Re: Security and PAX

To: Christos Zoulas <christos%zoulas.com@localhost>
Subject: Re: Security and PAX
From: rhino64%epost.ch@localhost
Date: Fri, 19 Jun 2015 22:08:21 +0200

On Tue, Jun 16, 2015 at 02:41:45PM -0400, Christos Zoulas wrote:
> On Jun 16,  7:54pm, rhino64%epost.ch@localhost (rhino64%epost.ch@localhost) wrote:
> -- Subject: Re: Security and PAX
> 
> | Hoewever, I get a new error message when I try to do manually
> | the link command:
> | ----------------------------------------------------------------------------------------------
> | virtualisation# cc -static -Wl,-I/libexec/ld.elf_so -Wl,-pie -o zsh main.o  `cat stamp-modobjs` -lc_pic -ltermcap_pic -lrt_pic -lm_pic
> | ld: /usr/lib/libc.a(errx.o): relocation R_X86_64_32 against `.text' can not be used when making a shared object; recompile with -fPIC
> | /usr/lib/libc.a: could not read symbols: Bad value
> | ----------------------------------------------------------------------------------------------
> | 
> | I don't understand well the meaning of "R_X86_64_32" since I compile 
> | in 64 bits (what mean "32"?) as you can see in the static version of the executable:
> 
> This means that you are picking up some code that it is not PIC; the 32 here
> means 32 bit offsets.
> 
> The order of the libraries is wrong, you need to put -lc_pic last because
> the others depend on symbols from it. There is a way to cheat by repeating
> all the libraries twice :-)
> 
> christos
Hi,
   Thanks for your advices. Finally I have succeeded to compile
ZSH as a pseudo statically linked program which is usable
with PAX.

I have done the following operations:
        1) Compile zsh statically
        2) Remove zsh in .../pkgsrc/shell/zsh/work/zsh-5.3.2/Src
        3) make -n (in the directory .../pkgsrc/shell/zsh/work/zsh-5.3.2/Src)
        4) add the needed libraries in the file "/usr/pkg/etc/mk.conf"
        5) in the directory .../pkgsrc/shell/zsh I have passed the commands
                   a) bmake clean
                   b) bmake package

kind regards,

Here is my file "/usr/pkg/etc/mk.conf"
---------------------------------------------------------------------------
# Ven jui 19 14:03:43 CEST 2015

.ifdef BSD_PKG_MK	# begin pkgsrc settings


PKG_DBDIR=		/var/db/pkg
LOCALBASE=		/usr/pkg
VARBASE=		/var
PKG_TOOLS_BIN=		/usr/pkg/sbin
PKGINFODIR=		info
PKGMANDIR=		man
#The following variable are for building executable
#with a maximum security.
MKPIE=                  yes
USE_SSP=                yes
USE_FORT=               yes

CFLAGS +=               -O3 -fpie -fstack-protector-all -mfpmath=sse -msse3 -march=native

#Generally, its better to have statically linked 
#important executables to avoid problems 
#with shared libs (which can disapear or be out of sync)
.if !empty(.CURDIR:M/usr/local/pkgsrc/shells/zsh*) 
   #The use of this variable is sufficient to achieve
   #the compilation of ZSH statically.
   ZSH_STATIC=yes
   LDFLAGS = -Wl,-static -Wl,-I/libexec/ld.elf_so -Wl,-pie -Wl,-start-group 
   LDFLAGS += -ltermcap_pic -lrt_pic -lm_pic -lc_pic -Wl,-end-group
.elif !empty(.CURDIR:M/usr/local/pkgsrc/converters/dos2unix*) | \
      !empty(.CURDIR:M/usr/local/pkgsrc/net/wget*)
   #In order to have fully static compilation, it is important to
   #have the static parameter as the first parameter (to avoid
   #linking with shared libs declared before the static flags).
   CFLAGS+=-static -static-libgcc
   CXXFLAGS+=-static -static-libgcc
   LDFLAGS+=-static
.endif #Statically compiled progs
.endif			# end pkgsrc settings
--------------------------------------------------------------------------------------

References:
- Re: Security and PAX
  - From: rhino64
- Re: Security and PAX
  - From: Christos Zoulas

Prev by Date: Re: Use of encfs failed
Next by Date: [PATCH] fuse-ntfs-3g and libntfs
Previous by Thread: Re: Security and PAX
Next by Thread: Re: Security and PAX
Indexes:

Home | Main Index | Thread Index | Old Index