HPE Community
Operating System - HP-UX
1753525 Members
5800 Online
108795 Solutions
New Discussion

Question about linking vsftpd with +cond_rodata

 
SOLVED
Go to solution
bobjh
Advisor

‎05-06-2013 12:04 PM

‎05-06-2013 12:04 PM

Question about linking vsftpd with +cond_rodata

Hello,

 

I managed to get vsftpd to build on an HP-UX server with gcc and Gnu make by means of about a half-dozen judicious type-casting hacks in sysutil.c and sysdeputil.c. But, in the process, I also had to remove the '-fstack-protector' option from CFLAGS and the '-Wl,-z,relro -Wl,-z,now' options for LDFLAGS. Hopefully, the 'executable_stack' kernel tunable will provide something equivalent to the '-fstack-protector' option. What I'd like to do now is put back the equivalent of the Linux '-z relro' linker option. Does anybody know if the HP linker option '+cond_rodata' will do this?

 

Thank you!

0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

‎05-07-2013 12:07 AM - edited ‎05-07-2013 07:59 PM

‎05-07-2013 12:07 AM - edited ‎05-07-2013 07:59 PM

Re: Question about linking vsftpd with +cond_rodata

>Does anybody know if the HP linker option '+cond_rodata' will do this?

 

This is a compiler option only available with HP's compilers and is the default under -exec, so it was removed from the doc.

 

What are you trying to do with: Create an ELF "PT_GNU_RELRO" segment header in the object.

Reply
bobjh
Advisor

‎05-07-2013 08:09 AM

‎05-07-2013 08:09 AM

Re: Question about linking vsftpd with +cond_rodata

Thanks. Apparently "-z relro" is a recent Linux security hardening option to "place commonly exploited structures in ELF binaries to a quasi-readonly location".

 

Alas, I tried connecting to vsftpd via ftp (without SSL enabled) but I get a "500 OOPS: mmap" error, so perhaps the question is moot.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎05-07-2013 07:57 PM

‎05-07-2013 07:57 PM

Solution

Re: Question about linking vsftpd with +cond_rodata

>Apparently "-z relro" is a recent Linux security hardening option to "place commonly exploited structures in ELF binaries to a quasi-readonly location".

 

Then +cond_rodata won't help.

 

Things are put into text sections only if the compiler and linker can determine they aren't modifiable, typically by the use of const.   Using -exec will also get more things in text if local addresses are taken.

 

About the only security option is ld/dld +protect option.

Reply
bobjh
Advisor

‎05-08-2013 07:38 AM

‎05-08-2013 07:38 AM

Re: Question about linking vsftpd with +cond_rodata

Thank you.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.