1 |
Kirby Walborn <kirby@×××××××××××××.com> posted |
2 |
44895C73.7090207@×××××××××××××.com, excerpted below, on Fri, 09 Jun 2006 |
3 |
05:33:07 -0600: |
4 |
|
5 |
> I see you have some ldflags listed. Where can a person find information |
6 |
> on these. I've tried to google around about them and haven't had much |
7 |
> luck trying to figure it out. |
8 |
> |
9 |
> BTW my cflags are: |
10 |
> |
11 |
> CFLAGS="-march=k8 -Os -pipe -fomit-frame-pointer -frename-registers - |
12 |
> -funit-at-a-time -fweb -freorder-blocks -freorder-blocks-and-partition - |
13 |
> -ftree-pre -fmerge-all-constants" |
14 |
> CXXFLAGS="-march=k8 -Os -pipe -fomit-frame-pointer -frename-registers - |
15 |
> -funit-at-a-time -fweb -freorder-blocks -ftree-pre -fmerge-all-constants" |
16 |
> |
17 |
> Duncan mentioned these a while ago and I used them with no problems. But I |
18 |
> was curious about ldflags if anybody has pointers. |
19 |
|
20 |
I noticed they looked familiar. =8^) |
21 |
|
22 |
The only ldflags I use are: |
23 |
|
24 |
LDFLAGS="-Wl,-z,now" |
25 |
|
26 |
If you pay attention to your emerge output, you will have likely seen |
27 |
warnings about various SETUID/SETGID applications, where the ebuild hasn't |
28 |
set this flag. It's a minor security issue for these apps, as one attack |
29 |
vector would be preloading an exploitable library into an otherwise safe |
30 |
SETUID/SETGID app run as root, then exploiting the hole in the library to |
31 |
run your choice of malware -- as root! Obviously, this isn't a huge issue |
32 |
on a system where all the human users have root access anyway, but those |
33 |
running hardened systems (note that Gentoo-hardened has a slightly |
34 |
different solution in their hardened-patched gcc that does the same thing, |
35 |
a slightly different way) will be interested, and the flag is a good idea |
36 |
for SETGID/SETUID executables even on single-human-user systems, as it |
37 |
shrinks the potential exposure to crackers and malware, helping keep Linux |
38 |
from becoming another MSWormOS. |
39 |
|
40 |
What the flag actually does is cause the resolution of all called |
41 |
routines up front at application load time, thus triggering the |
42 |
immediate load of all required dynamic-load libraries they are in, rather |
43 |
than leaving some of them to "lazy load" later, as they are actually |
44 |
needed. |
45 |
|
46 |
Other than the security aspect for SETGID/UID, this has the effect on |
47 |
all apps of increasing the initial load time of apps somewhat, as the |
48 |
various libraries are all loaded and linked in, resolving the various |
49 |
stubs into the full routines. Memory use can also be slightly higher, |
50 |
where libraries are loaded that otherwise wouldn't be, because the part of |
51 |
the application that uses them never happens to be run in that particular |
52 |
session. However, over time, they'd likely be loaded by some app or |
53 |
another anyway, so the practical effect isn't much more than increasing |
54 |
the initial load time slightly, at the same time increasing responsiveness |
55 |
later, when the app would otherwise have to load that library off of disk |
56 |
or at least load it into its memory space (if it's already in memory |
57 |
generally) and fully resolve the call triggering the load. |
58 |
|
59 |
Completely resolving at load time the calls that would otherwise be |
60 |
resolved as needed also has a debugging/troubleshooting effect. Any |
61 |
failed resolutions happen right away, at application load, rather than |
62 |
later. This is one of the reasons I like it, as if it's possible, I much |
63 |
prefer the failure up front to having it occur after I've spent some time |
64 |
with the app and possibly have unsaved work. |
65 |
|
66 |
So basically... it's not so much an optimization as a configuring my |
67 |
system to work the way I prefer it to work. I prefer to front-end load |
68 |
the library loading and routine resolution process, and know right away if |
69 |
there is a problem. I prefer waiting a half-second or so longer at |
70 |
application load time to a pause later. On tight memory systems, the |
71 |
additional memory use might be significant, but it certainly wasn't when I |
72 |
had a gig of memory (I've since upgraded to eight). Note that if the |
73 |
memory is needed for something else and the library hasn't been used, that |
74 |
memory will be flushed to swap along with other non-actively used memory, |
75 |
so it's not as if it should be a big problem for most even with a half a |
76 |
gig of memory, tho below that, I'd not recommend it. |
77 |
|
78 |
Problems? None I've found with one SIGNIFICANT exception, but I deal with |
79 |
it. The exception is modular-X, specifically xorg-server and certain |
80 |
xf86-video-* drivers (among them -ati, which I use, but also a via driver |
81 |
IIRC and there may be others). The problem is that for years, as xfree86 |
82 |
and xorg before it went modular, these things used a build and module load |
83 |
system that encouraged seriously interlocking dependencies, and these |
84 |
haven't been fully ironed out as yet. Various modules depend on functions |
85 |
from other modules, which in turn depend on functions in the first |
86 |
modules, so it's impossible to create a load order that resolves all |
87 |
function dependencies as they are loaded. Resolution of certain |
88 |
dependencies MUST be put off until later, to load the first module, so the |
89 |
second one, that requires the first, can load, thereby resolving the stubs |
90 |
in the first one as well. After they are all loaded, everything is |
91 |
resolved, but they are so interdependent that there is no order |
92 |
they can be loaded in without at least a couple (temporarily) unresolved |
93 |
symbols, so forcing all symbols to be resolved immediately simply doesn't |
94 |
work, and X will fail to start with an error about unresolved symbols. |
95 |
|
96 |
There are two possible fixes. One is to simply remember which packages |
97 |
won't work (simple since it's just two), and always either comment out |
98 |
your LDFLAGS line before merging them, or use |
99 |
|
100 |
LDFLAGS="" emerge xorg-server |
101 |
|
102 |
(and the same for xf86-drivers-ati or whatever your video driver is). The |
103 |
second is to add a simple filter-ldflags call to the ebuild's |
104 |
package_setup() function. Here's the patch I filed for xorg-server: |
105 |
|
106 |
--- xorg-server-1.0.99.903.ebuild 2006-05-13 08:36:22.000000000 -0700 |
107 |
+++ xorg-server-1.0.99.903.ebuild.new 2006-05-14 03:57:03.000000000 -0700 |
108 |
@@ -519,6 +519,9 @@ pkg_setup() { |
109 |
# (#121394) Causes window corruption |
110 |
filter-flags -fweb |
111 |
|
112 |
+ # (#116698) breaks loading |
113 |
+ filter-ldflags -Wl,-z,now |
114 |
+ |
115 |
# Nothing else provides new enough glxtokens.h |
116 |
ewarn "Forcing on xorg-x11 for new enough glxtokens.h..." |
117 |
OLD_IMPLEM="$(eselect opengl show)" |
118 |
|
119 |
You'll notice the bug number listed, but here's a link: |
120 |
|
121 |
http://bugs.gentoo.org/show_bug.cgi?id=116698 |
122 |
|
123 |
If nothing else, it makes for interesting reading (for those into this |
124 |
sort of thing <g>), with further links to the hardened bug it was |
125 |
originally called a duplicate of, and to a related discussion on the |
126 |
gentoo-devel list. My main point was that while it's one thing to say |
127 |
"don't use those flags then", it's quite another to say that when portage |
128 |
itself is saying to use them, when merging that very package! When |
129 |
those only following the instructions output by portage when merging a |
130 |
package end up with a broken installation as a result, the ebuild |
131 |
shouldn't be cleared for stabilization (a certain amount of such things |
132 |
might be expected in ~arch, but not for stable). The bug, BTW, is marked |
133 |
resolved/fixed, altho the fix to the ebuild wasn't quite the same as my |
134 |
suggested patch and I've not yet verified that it indeed totally solves |
135 |
the problem, as I had with my patch. |
136 |
|
137 |
Anyway, since the ldflags I use cause can cause occasional problems, and |
138 |
aren't much more than a personal preference thing with real tradeoffs even |
139 |
when they work, it's not something I can recommend, but it's something |
140 |
that works for me, and since you asked about what people had for their |
141 |
ldflags and why, I thought I'd answer. |
142 |
|
143 |
As for other LDFLAGS, I too haven't found a lot on them. Since I |
144 |
believe the advice elsewhere to only use them if you know what you are |
145 |
doing, and I don't know enough about any others to be confident using |
146 |
them, I don't. |
147 |
|
148 |
|
149 |
|
150 |
-- |
151 |
Duncan - List replies preferred. No HTML msgs. |
152 |
"Every nonfree program has a lord, a master -- |
153 |
and if you use the program, he is your master." Richard Stallman |
154 |
|
155 |
-- |
156 |
gentoo-amd64@g.o mailing list |