From: Todd C. Miller Date: Tue, 28 May 2013 18:40:45 +0000 (-0400) Subject: Restrict default creation of PIE binaries (-fPIE and -pie) to Linux. X-Git-Tag: SUDO_1_8_7~1^2~3 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=67d8af4be5c2ede9ba7591e6b7765f570bee2190;p=sudo Restrict default creation of PIE binaries (-fPIE and -pie) to Linux. OpenBSD also supports PIE but enables it by default so we don't need to do anything. This fixes problems on systems with a version of GNU ld that accepts -pie but where the run-time linker doesn't actually support PIE. Also verify that a trivial PIE binary works unless PIE is explicitly enabled. --- diff --git a/INSTALL b/INSTALL index aca0690ae..bd05979fa 100644 --- a/INSTALL +++ b/INSTALL @@ -138,16 +138,23 @@ Compilation options: _FORTIFY_SOURCE defined to 2, building with -fstack-protector and linking with -zrelro, where supported. + --enable-pie + Build sudo and related programs as as a position independent + executables (PIE). This improves the effectiveness of address + space layout randomization (ASLR) on systems that support it. + Sudo will create PIE binaries by default on Linux systems. + + --disable-pie + Disable the creation of position independent executables (PIE), + even if the compiler creates PIE binaries by default. This + option may be needed on some Linux systems where PIE binaries + are not fully supported. + --disable-rpath By default, configure will use -Rpath in addition to -Lpath when passing library paths to the loader. This option will disable the use of -Rpath. - --disable-pie - Disable the creation of position independent executables (PIE) - even when the compiler and linker support them. - By default, sudo will be built as a PIE where possible. - --disable-shared Disable dynamic shared object support. By default, sudo is built with a plugin API capable of loading arbitrary diff --git a/NEWS b/NEWS index a52a5d9cf..bae1c688e 100644 --- a/NEWS +++ b/NEWS @@ -103,6 +103,10 @@ What's new in Sudo 1.8.7? as out of date on Linux systems where the change time on the pseudo-tty device node can change after it is allocated. + * Sudo now only builds Position Independent Executables (PIE) + by default on Linux systems and verifies that a trivial test + program builds and runs. + What's new in Sudo 1.8.6p8? * Terminal detection now works properly on 64-bit AIX kernels. diff --git a/configure b/configure index 7f2440004..3df050948 100755 --- a/configure +++ b/configure @@ -5655,8 +5655,6 @@ fi # Check whether --enable-pie was given. if test "${enable_pie+set}" = set; then : enableval=$enable_pie; -else - enable_pie=yes fi @@ -14528,11 +14526,6 @@ done CHECKSHADOW="false" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='maybe'} - # PIE is broken on FreeBSD/ia64 - case "$host_cpu" in - arm*|ia64*) - enable_pie=no;; - esac ;; *-*-*openbsd*) # OpenBSD-specific initialization @@ -20946,8 +20939,17 @@ $as_echo "$sudo_cv_var_hpux_ld_symbol_export" >&6; } fi if test -n "$GCC"; then - if test "$enable_pie" = "no"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 + if test -z "$enable_pie"; then + case "$host_os" in + linux*) + # Attempt to build with PIE support + enable_pie="maybe" + ;; + esac + fi + if test -n "$enable_pie"; then + if test "$enable_pie" = "no"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fno-pie" >&5 $as_echo_n "checking whether C compiler accepts -fno-pie... " >&6; } if ${ax_cv_check_cflags___fno_pie+:} false; then : $as_echo_n "(cached) " >&6 @@ -20978,9 +20980,9 @@ fi $as_echo "$ax_cv_check_cflags___fno_pie" >&6; } if test x"$ax_cv_check_cflags___fno_pie" = xyes; then : - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-pie" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-pie" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -nopie" >&5 $as_echo_n "checking whether the linker accepts -nopie... " >&6; } if ${ax_cv_check_ldflags___nopie+:} false; then : $as_echo_n "(cached) " >&6 @@ -21012,21 +21014,21 @@ fi $as_echo "$ax_cv_check_ldflags___nopie" >&6; } if test x"$ax_cv_check_ldflags___nopie" = xyes; then : - PIE_CFLAGS="-fno-pie" - PIE_LDFLAGS="-nopie" + PIE_CFLAGS="-fno-pie" + PIE_LDFLAGS="-nopie" else : fi - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" else : fi - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 $as_echo_n "checking whether C compiler accepts -fPIE... " >&6; } if ${ax_cv_check_cflags___fPIE+:} false; then : $as_echo_n "(cached) " >&6 @@ -21057,9 +21059,9 @@ fi $as_echo "$ax_cv_check_cflags___fPIE" >&6; } if test x"$ax_cv_check_cflags___fPIE" = xyes; then : - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fPIE" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 $as_echo_n "checking whether the linker accepts -pie... " >&6; } if ${ax_cv_check_ldflags___pie+:} false; then : $as_echo_n "(cached) " >&6 @@ -21091,7 +21093,8 @@ fi $as_echo "$ax_cv_check_ldflags___pie" >&6; } if test x"$ax_cv_check_ldflags___pie" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5 + if test "$enable_pie" = "maybe"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working PIE support" >&5 $as_echo_n "checking for working PIE support... " >&6; } if ${sudo_cv_working_pie+:} false; then : $as_echo_n "(cached) " >&6 @@ -21120,22 +21123,25 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_working_pie" >&5 $as_echo "$sudo_cv_working_pie" >&6; } if test $sudo_cv_working_pie = yes; then : - - PIE_CFLAGS="-fPIE" - PIE_LDFLAGS="-Wc,-fPIE -pie" - + enable_pie=yes fi + fi + if test "$enable_pie" = "yes"; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-Wc,-fPIE -pie" + fi else : fi - CFLAGS="$_CFLAGS" + CFLAGS="$_CFLAGS" else : fi + fi fi fi diff --git a/configure.in b/configure.in index 0cde2c3bf..570169b7f 100644 --- a/configure.in +++ b/configure.in @@ -1383,8 +1383,7 @@ AC_ARG_ENABLE(hardening, [], [enable_hardening=yes]) AC_ARG_ENABLE(pie, -[AS_HELP_STRING([--disable-pie], [Do not build position independent executables, even if the compiler/linker supports them])], -[], [enable_pie=yes]) +[AS_HELP_STRING([--enable-pie], [Build sudo as a position independent executable.])]) AC_ARG_ENABLE(admin-flag, [AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])], @@ -1909,11 +1908,6 @@ case "$host" in CHECKSHADOW="false" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" : ${with_logincap='maybe'} - # PIE is broken on FreeBSD/ia64 - case "$host_cpu" in - arm*|ia64*) - enable_pie=no;; - esac ;; *-*-*openbsd*) # OpenBSD-specific initialization @@ -3432,28 +3426,41 @@ dnl Check for PIE executable support if using gcc. dnl This test relies on AC_LANG_WERROR dnl if test -n "$GCC"; then - if test "$enable_pie" = "no"; then - AX_CHECK_COMPILE_FLAG([-fno-pie], [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fno-pie" - AX_CHECK_LINK_FLAG([-nopie], [ - PIE_CFLAGS="-fno-pie" - PIE_LDFLAGS="-nopie" + if test -z "$enable_pie"; then + case "$host_os" in + linux*) + # Attempt to build with PIE support + enable_pie="maybe" + ;; + esac + fi + if test -n "$enable_pie"; then + if test "$enable_pie" = "no"; then + AX_CHECK_COMPILE_FLAG([-fno-pie], [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fno-pie" + AX_CHECK_LINK_FLAG([-nopie], [ + PIE_CFLAGS="-fno-pie" + PIE_LDFLAGS="-nopie" + ]) + CFLAGS="$_CFLAGS" ]) - CFLAGS="$_CFLAGS" - ]) - else - AX_CHECK_COMPILE_FLAG([-fPIE], [ - _CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -fPIE" - AX_CHECK_LINK_FLAG([-pie], [ - SUDO_WORKING_PIE([ - PIE_CFLAGS="-fPIE" - PIE_LDFLAGS="-Wc,-fPIE -pie" - ], []) + else + AX_CHECK_COMPILE_FLAG([-fPIE], [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + AX_CHECK_LINK_FLAG([-pie], [ + if test "$enable_pie" = "maybe"; then + SUDO_WORKING_PIE([enable_pie=yes], []) + fi + if test "$enable_pie" = "yes"; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-Wc,-fPIE -pie" + fi + ]) + CFLAGS="$_CFLAGS" ]) - CFLAGS="$_CFLAGS" - ]) + fi fi fi diff --git a/doc/TROUBLESHOOTING b/doc/TROUBLESHOOTING index ee253d844..328b37ed0 100644 --- a/doc/TROUBLESHOOTING +++ b/doc/TROUBLESHOOTING @@ -276,12 +276,12 @@ A) AIX's Enhanced RBAC is preventing sudo from running. To fix Q) Sudo configures and builds without error but when I run it I get a Segmentation fault. -A) The first thing to try is to run configure with the --disable-pie - option, then "make clean" and "make". If that fixes the problem - then your operating system does not support position independent - executables, even though the compiler appears to support them. - If the problem persists, please send a message to sudo-users@sudo.ws - for assistance. +A) If you are on a Linux system, the first thing to try is to run + configure with the --disable-pie option, then "make clean" and + "make". If that fixes the problem then your operating system + does not properly support position independent executables. + Please send a message to sudo@sudo.ws with system details such + as the Linux distro, kernel version and CPU architecture. Q) When I run configure I get the following error: dlopen present but libtool doesn't appear to support your platform.