From 8234420078ca83a64a617458386a3c2dbfa0d5b2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 2 Jul 2012 10:12:32 -0400 Subject: [PATCH] Add configure check for building PIE executables instead of doing it in mkpkg. --HG-- branch : 1.7 --- INSTALL | 5 ++ Makefile.in | 222 ++++++++++++++++++++++++++------------------------- configure | 96 ++++++++++++++++++++++ configure.in | 22 +++++ mkpkg | 32 +------- 5 files changed, 239 insertions(+), 138 deletions(-) diff --git a/INSTALL b/INSTALL index d5c2a0b76..1a91255fc 100644 --- a/INSTALL +++ b/INSTALL @@ -637,6 +637,11 @@ The following options are also configurable at runtime: _FORTIFY_SOURCE defined to 2, building with -fstack-protector and linking with -zrelro, where supported. + --disable-pie + Disable the creation of position independent executables (PIE) + even when the compiler and linker support them. + By default, sudo will be built as a PIE where possible. + --enable-admin-flag Enable the creation of an Ubuntu-style admin flag file the first time sudo is run. diff --git a/Makefile.in b/Makefile.in index 9adb7ef7d..7d00e1217 100644 --- a/Makefile.in +++ b/Makefile.in @@ -58,6 +58,10 @@ CFLAGS = @CFLAGS@ LDFLAGS = -L. @LDFLAGS@ SUDO_LDFLAGS = @SUDO_LDFLAGS@ $(LDFLAGS) +# PIE flags +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ + # Where to install things... prefix = @prefix@ exec_prefix = @exec_prefix@ @@ -196,10 +200,10 @@ all: $(PROGS) .SUFFIXES: .o .c .h .l .y .lo .c.o: - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $< + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $< .c.lo: - $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $< + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $< libsudo.a: $(LIB_OBJS) $(COMMON_OBJS) $(AR) rv $@ $(LIB_OBJS) $(COMMON_OBJS) @@ -210,16 +214,16 @@ libz.a: $(ZLIB_OBJS) $(RANLIB) $@ sudo: libsudo.a @ZLIB_DEP@ $(SUDO_OBJS) - $(CC) -o $@ $(SUDO_OBJS) $(SUDO_LDFLAGS) -lsudo $(SUDO_LIBS) @ZLIB@ + $(CC) -o $@ $(SUDO_OBJS) $(SUDO_LDFLAGS) $(PIE_LDFLAGS) -lsudo $(SUDO_LIBS) @ZLIB@ visudo: libsudo.a $(VISUDO_OBJS) - $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) + $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) sudoreplay: libsudo.a @ZLIB_DEP@ $(REPLAY_OBJS) - $(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) -lsudo $(LIBS) @ZLIB@ + $(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) -lsudo $(LIBS) @ZLIB@ testsudoers: $(TEST_OBJS) - $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) + $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) sudo_noexec.lo: $(srcdir)/sudo_noexec.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c @@ -271,213 +275,213 @@ mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(srcdir)/missing.h confi # Dependencies (not counting auth functions) aix.o: $(srcdir)/aix.c - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/aix.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/aix.c alias.o: $(srcdir)/alias.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/redblack.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c alloc.o: $(srcdir)/alloc.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c audit.o: $(srcdir)/audit.c $(SUDODEP) $(srcdir)/bsm_audit.h $(srcdir)/linux_audit.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/audit.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/audit.c boottime.o: $(srcdir)/boottime.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) $(srcdir)/bsm_audit.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c check.o: $(srcdir)/check.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c closefrom.o: $(srcdir)/closefrom.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/closefrom.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/closefrom.c defaults.o: $(srcdir)/defaults.c $(SUDODEP) $(srcdir)/def_data.c $(authdir)/sudo_auth.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c env.o: $(srcdir)/env.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c error.o: $(srcdir)/error.c $(srcdir)/missing.h $(srcdir)/error.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c exec.o: $(srcdir)/exec.c $(SUDODEP) $(srcdir)/sudo_exec.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/exec.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/exec.c exec_pty.o: $(srcdir)/exec.c $(SUDODEP) $(srcdir)/sudo_exec.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/exec_pty.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/exec_pty.c fileops.o: $(srcdir)/fileops.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fileops.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fileops.c find_path.o: $(srcdir)/find_path.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c fnmatch.o: $(srcdir)/fnmatch.c $(srcdir)/emul/fnmatch.h $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fnmatch.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fnmatch.c get_pty.o: $(srcdir)/get_pty.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/get_pty.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/get_pty.c getcwd.o: $(srcdir)/getcwd.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getcwd.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getcwd.c getdate.o: $(srcdir)/getdate.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c getline.o: $(srcdir)/getline.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getline.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getline.c getprogname.o: $(srcdir)/getprogname.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getprogname.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getprogname.c getspwuid.o: $(srcdir)/getspwuid.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c gettime.o: $(srcdir)/gettime.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c glob.o: $(srcdir)/glob.c $(srcdir)/emul/glob.h $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/glob.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/glob.c goodpath.o: $(srcdir)/goodpath.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c gram.o: $(devdir)/gram.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c interfaces.o: $(srcdir)/interfaces.c $(SUDODEP) $(srcdir)/interfaces.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c iolog.o: $(srcdir)/iolog.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/iolog.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/iolog.c isblank.o: $(srcdir)/isblank.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/isblank.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/isblank.c lbuf.o: $(srcdir)/lbuf.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/lbuf.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/lbuf.c ldap.o: $(srcdir)/ldap.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c linux_audit.o: $(srcdir)/linux_audit.c $(SUDODEP) $(srcdir)/linux_audit.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/linux_audit.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/linux_audit.c list.o: $(srcdir)/list.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/list.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/list.c logging.o: $(srcdir)/logging.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c logwrap.o: $(srcdir)/logwrap.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logwrap.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logwrap.c match.o: $(srcdir)/match.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c memrchr.o: $(srcdir)/memrchr.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c mkstemps.o: $(srcdir)/mkstemps.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemps.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemps.c nanosleep.o: $(srcdir)/nanosleep.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/nanosleep.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/nanosleep.c parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c parse_args.o: $(srcdir)/parse_args.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse_args.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse_args.c pwutil.o: $(srcdir)/pwutil.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c redblack.o: $(srcdir)/redblack.c $(SUDODEP) $(srcdir)/redblack.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c secure_path.o: $(srcdir)/secure_path.c $(SUDODEP) $(srcdir)/secure_path.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/secure_path.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/secure_path.c set_perms.o: $(srcdir)/set_perms.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c setsid.o: $(srcdir)/setsid.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/setsid.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/setsid.c sigaction.o: $(srcdir)/sigaction.c $(srcdir)/missing.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sigaction.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sigaction.c siglist.o: siglist.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/siglist.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/siglist.c snprintf.o: $(srcdir)/snprintf.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/snprintf.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/snprintf.c strcasecmp.o: $(srcdir)/strcasecmp.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strcasecmp.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strcasecmp.c strerror.o: $(srcdir)/strerror.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strerror.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strerror.c strlcat.o: $(srcdir)/strlcat.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcat.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcat.c strlcpy.o: $(srcdir)/strlcpy.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcpy.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcpy.c strsignal.o: $(srcdir)/strsignal.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strsignal.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strsignal.c selinux.o: $(srcdir)/selinux.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/selinux.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/selinux.c sudo.o: $(srcdir)/sudo.c $(SUDODEP) sudo_usage.h $(srcdir)/interfaces.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo.c sudoreplay.o: $(srcdir)/sudoreplay.c $(srcdir)/alloc.h $(srcdir)/missing.h $(srcdir)/error.h $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoreplay.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoreplay.c sudo_edit.o: $(srcdir)/sudo_edit.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c sudo_noexec.o: $(srcdir)/sudo_noexec.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c sudo_nss.o: $(srcdir)/sudo_nss.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c term.o: $(srcdir)/term.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/term.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/term.c testsudoers.o: $(srcdir)/testsudoers.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c tgetpass.o: $(srcdir)/tgetpass.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tgetpass.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tgetpass.c ttyname.o: $(srcdir)/ttyname.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ttyname.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ttyname.c ttysize.o: $(srcdir)/ttysize.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ttysize.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ttysize.c timestr.o: $(srcdir)/timestr.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c toke.o: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/toke.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c toke_util.o: $(srcdir)/toke_util.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/toke.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/toke_util.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/toke_util.c tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c utimes.o: $(srcdir)/utimes.c $(srcdir)/missing.h $(srcdir)/emul/utime.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/utimes.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/utimes.c vasgroups.o: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c visudo.o: $(srcdir)/visudo.c $(SUDODEP) $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/visudo.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/visudo.c zero_bytes.o: $(srcdir)/zero_bytes.c $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/zero_bytes.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/zero_bytes.c sudo_auth.o: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c afs.o: $(authdir)/afs.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c aix_auth.o: $(authdir)/aix_auth.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c bsdauth.o: $(authdir)/bsdauth.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c dce.o: $(authdir)/dce.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c fwtk.o: $(authdir)/fwtk.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c kerb4.o: $(authdir)/kerb4.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c kerb5.o: $(authdir)/kerb5.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c pam.o: $(authdir)/pam.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c passwd.o: $(authdir)/passwd.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c rfc1938.o: $(authdir)/rfc1938.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c secureware.o: $(authdir)/secureware.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c securid.o: $(authdir)/securid.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c securid5.o: $(authdir)/securid5.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c # Zlib dependencies adler32.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/adler32.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/adler32.c compress.o: $(srcdir)/zlib/zlib.h zlib/zconf.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/compress.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/compress.c crc32.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/crc32.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/crc32.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/crc32.c deflate.o: $(srcdir)/zlib/deflate.h $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/deflate.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/deflate.c gzclose.o: $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/gzguts.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/gzclose.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/gzclose.c gzlib.o: $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/gzguts.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/gzlib.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/gzlib.c gzread.o: $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/gzguts.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/gzread.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/gzread.c gzwrite.o: $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/gzguts.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/gzwrite.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/gzwrite.c infback.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/inftrees.h $(srcdir)/zlib/inflate.h $(srcdir)/zlib/inffast.h $(srcdir)/zlib/inffixed.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/infback.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/infback.c inffast.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/inftrees.h $(srcdir)/zlib/inflate.h $(srcdir)/zlib/inffast.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/inffast.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/inffast.c inflate.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/inftrees.h $(srcdir)/zlib/inflate.h $(srcdir)/zlib/inffast.h $(srcdir)/zlib/inffixed.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/inflate.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/inflate.c inftrees.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/inftrees.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/inftrees.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/inftrees.c trees.o: $(srcdir)/zlib/deflate.h $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(srcdir)/zlib/trees.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/trees.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/trees.c uncompr.o: $(srcdir)/zlib/zlib.h zlib/zconf.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/uncompr.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/uncompr.c zutil.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h - $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(srcdir)/zlib/zutil.c + $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/zutil.c @DEV@varsub: $(srcdir)/configure.in @DEV@ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@ diff --git a/configure b/configure index 1b6cb5abe..9ff8d9899 100755 --- a/configure +++ b/configure @@ -691,6 +691,8 @@ password_timeout timeout timedir iolog_dir +PIE_CFLAGS +PIE_LDFLAGS CONFIGURE_ARGS ZLIB_DEP ZLIB @@ -867,6 +869,7 @@ enable_env_reset enable_warnings enable_werror enable_hardening +enable_pie enable_admin_flag with_selinux enable_gss_krb5_ccache_name @@ -1529,6 +1532,8 @@ Optional Features: --enable-werror Whether to enable the -Werror compiler option --disable-hardening Do not use compiler/linker exploit mitigation options + --disable-pie Do not build position independent executables, even + if the compiler/linker supports them --enable-admin-flag Whether to create a Ubuntu-style admin flag file --enable-gss-krb5-ccache-name Use GSS-API to set the Kerberos V cred cache name @@ -2855,6 +2860,8 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + + @@ -5548,6 +5555,14 @@ else fi +# Check whether --enable-pie was given. +if test "${enable_pie+set}" = set; then : + enableval=$enable_pie; +else + enable_pie=yes +fi + + # Check whether --enable-admin-flag was given. if test "${enable_admin_flag+set}" = set; then : enableval=$enable_admin_flag; case "$enableval" in @@ -19845,6 +19860,87 @@ done fi +if test "$enable_pie" != "no"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5 +$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; } +if ${ax_cv_check_cflags___fPIE+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -fPIE" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___fPIE=yes +else + ax_cv_check_cflags___fPIE=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5 +$as_echo "$ax_cv_check_cflags___fPIE" >&6; } +if test x"$ax_cv_check_cflags___fPIE" = xyes; then : + + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5 +$as_echo_n "checking whether the linker accepts -pie... " >&6; } +if ${ax_cv_check_ldflags___pie+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -pie" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___pie=yes +else + ax_cv_check_ldflags___pie=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5 +$as_echo "$ax_cv_check_ldflags___pie" >&6; } +if test x"$ax_cv_check_ldflags___pie" = xyes; then : + + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-pie" + +else + : +fi + + CFLAGS="$_CFLAGS" + +else + : +fi + +fi + if test "$enable_hardening" != "no"; then ac_c_werror_flag=yes diff --git a/configure.in b/configure.in index b28630e14..53ed8919b 100644 --- a/configure.in +++ b/configure.in @@ -57,6 +57,8 @@ AC_SUBST([LOGINCAP_USAGE]) AC_SUBST([ZLIB]) AC_SUBST([ZLIB_DEP]) AC_SUBST([CONFIGURE_ARGS]) +AC_SUBST([PIE_LDFLAGS]) +AC_SUBST([PIE_CFLAGS]) dnl dnl Variables that get substituted in docs (not overridden by environment) dnl @@ -1307,6 +1309,10 @@ AC_ARG_ENABLE(hardening, [AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])], [], [enable_hardening=yes]) +AC_ARG_ENABLE(pie, +[AS_HELP_STRING([--disable-pie], [Do not build position independent executables, even if the compiler/linker supports them])], +[], [enable_pie=yes]) + AC_ARG_ENABLE(admin-flag, [AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])], [ case "$enableval" in @@ -2987,6 +2993,22 @@ if test "${with_iologdir-yes}" != "no"; then ]) fi +dnl +dnl Check for PIE executable support if using gcc. +dnl This test relies on AC_LANG_WERROR +dnl +if test "$enable_pie" != "no"; then + AX_CHECK_COMPILE_FLAG([-fPIE], [ + _CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -fPIE" + AX_CHECK_LINK_FLAG([-pie], [ + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-pie" + ]) + CFLAGS="$_CFLAGS" + ]) +fi + dnl dnl Check for -fstack-protector and -z relro support dnl This must be towards the end as it turns warnings diff --git a/mkpkg b/mkpkg index 099e851a8..b2f1ba98d 100755 --- a/mkpkg +++ b/mkpkg @@ -78,17 +78,6 @@ top_srcdir=`dirname $0` test -n "$osversion" || exit 1 osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'` -# Linux distros may build binaries as pie files. -# This is really something libtool should figure out, but it does not. -case "$osversion" in - *-s390*|*-sparc*|*-alpha*) - F_PIE=-fPIE - ;; - *) - F_PIE=-fpie - ;; -esac - # Choose compiler options by osversion if not cross-compiling. if [ "$crossbuild" = "false" ]; then case "$osversion" in @@ -122,9 +111,8 @@ case "$osversion" in configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux" fi if [ $osrelease -ge 50 ]; then - # RHEL 5 and up build pies, have audit support and use a - # separate PAM config file for "sudo -i". - export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie" + # RHEL 5 and up has audit support and uses a separate PAM + # config file for "sudo -i". configure_opts="${configure_opts}${configure_opts+$tab}--with-linux-audit" configure_opts="${configure_opts}${configure_opts+$tab}--with-pam-login" PPVARS="${PPVARS}${PPVARS+$space}linux_audit=1.4.0" @@ -145,10 +133,8 @@ case "$osversion" in ;; sles*) if [ $osrelease -ge 10 ]; then - # SLES 10 and higher build pies - export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie" + # SLES 11 and higher has SELinux if [ $osrelease -ge 11 ]; then - # SLES 11 and higher has SELinux configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux" fi fi @@ -186,14 +172,6 @@ case "$osversion" in case "$osversion" in ubu*) configure_opts="${configure_opts}${configure_opts+$tab}--enable-admin-flag${tab}--without-lecture" - if [ $osrelease -ge 1004 ]; then - export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie" - fi - ;; - deb*) - if [ $osrelease -ge 600 ]; then - export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie" - fi ;; esac # Note, must indent with tabs, not spaces due to IFS trickery @@ -236,10 +214,6 @@ case "$osversion" in fi export CFLAGS="-O2 -g $ARCH_FLAGS $SDK_FLAGS" export LDFLAGS="$ARCH_FLAGS $SDK_FLAGS" - if [ $osrelease -ge 105 ]; then - CFLAGS="$CFLAGS $F_PIE" - LDFLAGS="$LDFLAGS -Wl,-pie" - fi # Note, must indent with tabs, not spaces due to IFS trickery configure_opts="--with-pam --without-tty-tickets -- 2.49.0