_FORTIFY_SOURCE defined to 2, building with -fstack-protector
and linking with -zrelro, where supported.
+ --enable-pie
+ Build sudo and related programs as as a position independent
+ executables (PIE). This improves the effectiveness of address
+ space layout randomization (ASLR) on systems that support it.
+ Sudo will create PIE binaries by default on Linux systems.
+
+ --disable-pie
+ Disable the creation of position independent executables (PIE),
+ even if the compiler creates PIE binaries by default. This
+ option may be needed on some Linux systems where PIE binaries
+ are not fully supported.
+
--disable-rpath
By default, configure will use -Rpath in addition to -Lpath
when passing library paths to the loader. This option will
disable the use of -Rpath.
- --disable-pie
- Disable the creation of position independent executables (PIE)
- even when the compiler and linker support them.
- By default, sudo will be built as a PIE where possible.
-
--disable-shared
Disable dynamic shared object support. By default, sudo
is built with a plugin API capable of loading arbitrary
as out of date on Linux systems where the change time on the
pseudo-tty device node can change after it is allocated.
+ * Sudo now only builds Position Independent Executables (PIE)
+ by default on Linux systems and verifies that a trivial test
+ program builds and runs.
+
What's new in Sudo 1.8.6p8?
* Terminal detection now works properly on 64-bit AIX kernels.
# Check whether --enable-pie was given.
if test "${enable_pie+set}" = set; then :
enableval=$enable_pie;
-else
- enable_pie=yes
fi
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='maybe'}
- # PIE is broken on FreeBSD/ia64
- case "$host_cpu" in
- arm*|ia64*)
- enable_pie=no;;
- esac
;;
*-*-*openbsd*)
# OpenBSD-specific initialization
fi
if test -n "$GCC"; then
- if test "$enable_pie" = "no"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5
+ if test -z "$enable_pie"; then
+ case "$host_os" in
+ linux*)
+ # Attempt to build with PIE support
+ enable_pie="maybe"
+ ;;
+ esac
+ fi
+ if test -n "$enable_pie"; then
+ if test "$enable_pie" = "no"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5
$as_echo_n "checking whether C compiler accepts -fno-pie... " >&6; }
if ${ax_cv_check_cflags___fno_pie+:} false; then :
$as_echo_n "(cached) " >&6
$as_echo "$ax_cv_check_cflags___fno_pie" >&6; }
if test x"$ax_cv_check_cflags___fno_pie" = xyes; then :
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -fno-pie"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fno-pie"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5
$as_echo_n "checking whether the linker accepts -nopie... " >&6; }
if ${ax_cv_check_ldflags___nopie+:} false; then :
$as_echo_n "(cached) " >&6
$as_echo "$ax_cv_check_ldflags___nopie" >&6; }
if test x"$ax_cv_check_ldflags___nopie" = xyes; then :
- PIE_CFLAGS="-fno-pie"
- PIE_LDFLAGS="-nopie"
+ PIE_CFLAGS="-fno-pie"
+ PIE_LDFLAGS="-nopie"
else
:
fi
- CFLAGS="$_CFLAGS"
+ CFLAGS="$_CFLAGS"
else
:
fi
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; }
if ${ax_cv_check_cflags___fPIE+:} false; then :
$as_echo_n "(cached) " >&6
$as_echo "$ax_cv_check_cflags___fPIE" >&6; }
if test x"$ax_cv_check_cflags___fPIE" = xyes; then :
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -fPIE"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fPIE"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
$as_echo_n "checking whether the linker accepts -pie... " >&6; }
if ${ax_cv_check_ldflags___pie+:} false; then :
$as_echo_n "(cached) " >&6
$as_echo "$ax_cv_check_ldflags___pie" >&6; }
if test x"$ax_cv_check_ldflags___pie" = xyes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5
+ if test "$enable_pie" = "maybe"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5
$as_echo_n "checking for working PIE support... " >&6; }
if ${sudo_cv_working_pie+:} false; then :
$as_echo_n "(cached) " >&6
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5
$as_echo "$sudo_cv_working_pie" >&6; }
if test $sudo_cv_working_pie = yes; then :
-
- PIE_CFLAGS="-fPIE"
- PIE_LDFLAGS="-Wc,-fPIE -pie"
-
+ enable_pie=yes
fi
+ fi
+ if test "$enable_pie" = "yes"; then
+ PIE_CFLAGS="-fPIE"
+ PIE_LDFLAGS="-Wc,-fPIE -pie"
+ fi
else
:
fi
- CFLAGS="$_CFLAGS"
+ CFLAGS="$_CFLAGS"
else
:
fi
+ fi
fi
fi
[], [enable_hardening=yes])
AC_ARG_ENABLE(pie,
-[AS_HELP_STRING([--disable-pie], [Do not build position independent executables, even if the compiler/linker supports them])],
-[], [enable_pie=yes])
+[AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])])
AC_ARG_ENABLE(admin-flag,
[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='maybe'}
- # PIE is broken on FreeBSD/ia64
- case "$host_cpu" in
- arm*|ia64*)
- enable_pie=no;;
- esac
;;
*-*-*openbsd*)
# OpenBSD-specific initialization
dnl This test relies on AC_LANG_WERROR
dnl
if test -n "$GCC"; then
- if test "$enable_pie" = "no"; then
- AX_CHECK_COMPILE_FLAG([-fno-pie], [
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -fno-pie"
- AX_CHECK_LINK_FLAG([-nopie], [
- PIE_CFLAGS="-fno-pie"
- PIE_LDFLAGS="-nopie"
+ if test -z "$enable_pie"; then
+ case "$host_os" in
+ linux*)
+ # Attempt to build with PIE support
+ enable_pie="maybe"
+ ;;
+ esac
+ fi
+ if test -n "$enable_pie"; then
+ if test "$enable_pie" = "no"; then
+ AX_CHECK_COMPILE_FLAG([-fno-pie], [
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fno-pie"
+ AX_CHECK_LINK_FLAG([-nopie], [
+ PIE_CFLAGS="-fno-pie"
+ PIE_LDFLAGS="-nopie"
+ ])
+ CFLAGS="$_CFLAGS"
])
- CFLAGS="$_CFLAGS"
- ])
- else
- AX_CHECK_COMPILE_FLAG([-fPIE], [
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -fPIE"
- AX_CHECK_LINK_FLAG([-pie], [
- SUDO_WORKING_PIE([
- PIE_CFLAGS="-fPIE"
- PIE_LDFLAGS="-Wc,-fPIE -pie"
- ], [])
+ else
+ AX_CHECK_COMPILE_FLAG([-fPIE], [
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fPIE"
+ AX_CHECK_LINK_FLAG([-pie], [
+ if test "$enable_pie" = "maybe"; then
+ SUDO_WORKING_PIE([enable_pie=yes], [])
+ fi
+ if test "$enable_pie" = "yes"; then
+ PIE_CFLAGS="-fPIE"
+ PIE_LDFLAGS="-Wc,-fPIE -pie"
+ fi
+ ])
+ CFLAGS="$_CFLAGS"
])
- CFLAGS="$_CFLAGS"
- ])
+ fi
fi
fi
Q) Sudo configures and builds without error but when I run it I get
a Segmentation fault.
-A) The first thing to try is to run configure with the --disable-pie
- option, then "make clean" and "make". If that fixes the problem
- then your operating system does not support position independent
- executables, even though the compiler appears to support them.
- If the problem persists, please send a message to sudo-users@sudo.ws
- for assistance.
+A) If you are on a Linux system, the first thing to try is to run
+ configure with the --disable-pie option, then "make clean" and
+ "make". If that fixes the problem then your operating system
+ does not properly support position independent executables.
+ Please send a message to sudo@sudo.ws with system details such
+ as the Linux distro, kernel version and CPU architecture.
Q) When I run configure I get the following error:
dlopen present but libtool doesn't appear to support your platform.
projects / sudo / commitdiff