From 1ed76434cb6beaaec975279e1d202bb111400e28 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Tue, 12 Jun 2007 19:32:26 +0000 Subject: * Build position-independent executables (only for debs, not for udebs) to take advantage of address space layout randomisation. --- debian/changelog | 2 ++ debian/rules | 9 +++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 69d3efef1..b95d21709 100644 --- a/debian/changelog +++ b/debian/changelog @@ -63,6 +63,8 @@ openssh (1:4.6p1-1) UNRELEASED; urgency=low * Emit a slightly more informative message from the init script if /dev/null has somehow become not a character device (closes: #369964). * Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447). + * Build position-independent executables (only for debs, not for udebs) to + take advantage of address space layout randomisation. -- Colin Watson Tue, 12 Jun 2007 14:31:01 +0100 diff --git a/debian/rules b/debian/rules index 8f8eed1b8..76dc5d83c 100755 --- a/debian/rules +++ b/debian/rules @@ -12,6 +12,11 @@ else OPTFLAGS := -O0 endif +# Use position-independent executables to take advantage of address space +# layout randomisation. TODO: This should be done in configure. +PIE_CFLAGS := -fPIE +PIE_LDFLAGS := -fPIE -pie + DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) # Take account of old dpkg-architecture output. @@ -63,7 +68,7 @@ build-deb: build-deb-stamp build-deb-stamp: dh_testdir mkdir -p build-deb - cd build-deb && $(FORCE_LIBS) ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit --with-kerberos5=/usr --with-ssl-engine $(SELINUX) + cd build-deb && $(FORCE_LIBS) LDFLAGS='$(PIE_LDFLAGS)' ../configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-libedit --with-kerberos5=/usr --with-ssl-engine $(SELINUX) ifeq ($(DEB_HOST_ARCH_OS),linux) # Some 2.2 kernels have trouble with setres[ug]id() (bug #239999). @@ -72,7 +77,7 @@ endif # Debian's /var/log/btmp has inappropriate permissions. perl -pi -e 's,.*#define USE_BTMP .*,/* #undef USE_BTMP */,' build-deb/config.h - $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) -g -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -std=gnu99 -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_EXTRAVERSION="\" $(SSH_EXTRAVERSION)\""' + $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='$(OPTFLAGS) $(PIE_CFLAGS) -g -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -std=gnu99 -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -DSSH_EXTRAVERSION="\" $(SSH_EXTRAVERSION)\""' # Support building on Debian 3.0 (with GNOME 1.4) and later. if [ -f /usr/include/libgnomeui-2.0/gnome.h ]; then \ $(MAKE) -C contrib gnome-ssh-askpass2 CC='gcc $(OPTFLAGS) -g -Wall'; \ -- cgit v1.2.3