oss-sec mailing list archives
Re: Multiple libraries privilege checking
From: Solar Designer <solar () openwall com>
Date: Thu, 19 May 2011 00:45:23 +0400
On Tue, May 17, 2011 at 01:18:33PM +0200, Sebastian Krahmer wrote:
I uploaded a openssl-1.0.0d patch to http://suse.de/~krahmer/libs-vs-fscaps
Thank you!
The prefered way is to check the dumpable flag via prctl() which is detected by the config script.
This is fail-open (at build time). If the -e "/usr/include/sys/prctl.h" check somehow fails, we silently get an insecure build. Of course, risks of this nature are extremely common, but we're trying to deal with them. In our package of rpm, we have the configure-presets script, which looks like: #!/bin/sh # These autoconf variables are predefined to harden configure checks for # security sensitive functions, and to speedup configure checks for # most popular functions. export ac_cv_func_alloca=yes export ac_cv_func_asprintf=yes export ac_cv_func_atexit=yes export ac_cv_func_bcopy=yes export ac_cv_func_dcgettext=yes export ac_cv_func_fchdir=yes ... export ac_cv_func_utimes=yes export ac_cv_func_vasprintf=yes export ac_cv_func_vfork=yes export ac_cv_func_vprintf=yes export ac_cv_func_vsnprintf=yes export ac_cv_func_waitpid=yes export ac_cv_func_wcslen=yes export ac_cv_func_wcwidth=yes This script is sourced in our %___build_pre macro. Maybe you should simply drop the -e "/usr/include/sys/prctl.h" check, leaving only the $target =~ /^linux/i check? Thanks again, Alexander
Current thread:
- Multiple libraries privilege checking Sebastian Krahmer (May 16)
- Re: Multiple libraries privilege checking Solar Designer (May 16)
- Re: Multiple libraries privilege checking Dmitry V. Levin (May 16)
- Re: Multiple libraries privilege checking Sebastian Krahmer (May 17)
- Re: Multiple libraries privilege checking Solar Designer (May 18)
- Re: Multiple libraries privilege checking Sebastian Krahmer (May 22)
- Re: Multiple libraries privilege checking yersinia (May 18)
- Re: Multiple libraries privilege checking Solar Designer (May 18)
- Re: Multiple libraries privilege checking Solar Designer (May 16)
- Re: Multiple libraries privilege checking Florian Weimer (Jun 19)