1 |
pageexec@××××××××.hu wrote: |
2 |
> On 21 Dec 2009 at 9:38, basile wrote: |
3 |
> |
4 |
> |
5 |
>> Tobias Klein from trapkit.de was kind enough to allow us to bundle his |
6 |
>> checksec.sh script which tests system binaries or running processes for |
7 |
>> relro, ssp, nx, pie and aslr. Every binary shows these hardening |
8 |
>> features enabled except X and evolution which have only partial relro. |
9 |
>> A comparison of a running Tin Hat system and a running Ubuntu system can |
10 |
>> be see at |
11 |
>> |
12 |
>> http://opensource.dyc.edu/sites/default/files/karmic-checksec.txt |
13 |
>> http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt |
14 |
>> |
15 |
> |
16 |
> what are the causes for the partial RELRO results? |
17 |
> |
18 |
Because of some circular dependencies in its libraries, evolution has to |
19 |
be linked with -z,lazy. If you use -z,now, the resulting binaries don't |
20 |
work. Its a known problem which upstream promises will be fixed in |
21 |
evolution-3.x |
22 |
|
23 |
I don't know the story why X fails with -z,now, but Magnus (aka Zorry) |
24 |
told me of a patch on one of the overlays which fixes this. I will test. |
25 |
|
26 |
-- |
27 |
|
28 |
Anthony G. Basile, Ph.D. |
29 |
Chair of Information Technology |
30 |
D'Youville College |
31 |
Buffalo, NY 14201 |
32 |
USA |
33 |
|
34 |
(716) 829-8197 |