Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote Fri, 07 May 2010 15:15:07 +0200: | ./autogen.sh && ./configure --enable-gcc-warnings --enable-gcc-hardening | --enable-linker-hardening && make && sudo make install I can report that this works well on NetBSD (5.0.2) @ i386 as well. I'm using gcc 4.1.3, the one shipped with NetBSD. | The end result on Debian Lenny is a slightly hardened build when checked | with checksec.sh[0]. | | This is weasel's build on my x86 machine: | RELRO STACK CANARY NX PIE | Partial RELRO Canary found NX enabled PIE enabled | | This is a build with my new options on the same machine: | RELRO STACK CANARY NX PIE | Full RELRO Canary found NX enabled PIE enabled | | This is a build without my new options on the same machine: | RELRO STACK CANARY NX PIE | No RELRO No canary found NX enabled No PIE My observations are as follow. - I see the GNU_RELRO header but not the BIND_NOW header. This would have been displayed by checksec.sh as "Partial RELRO". - Canary is found. - I don't see GNU_STACK so NX is not there. - PIE is enabled | This seems like a useful improvement for people building from source. Indeed. Thanks! I'll look into why BIND_NOW and GNU_STACK aren't present. Do you have any ideas?
Attachment:
pgpZ9kogdOfA1.pgp
Description: PGP signature