version 1.21, 2017/09/07 11:32:21
|
version 1.22, 2017/11/05 23:07:27
|
Line 1
|
Line 1
|
[[!meta title="Hardening pkgsrc"]] |
[[!meta title="Hardening pkgsrc"]] |
|
|
A number of mechanisms are available in [pkgsrc](https://www.pkgsrc.org/) to |
A number of mechanisms are available in |
improve the security of the resulting system. They can be enabled individually |
[pkgsrc](https://www.pkgsrc.org/) to improve the security of the |
in `mk.conf`, and consist of: |
resulting system. This page describes the mechanisms, and gives hints |
|
about detecting and fixing problems. |
|
|
|
# Mechanisms |
|
|
|
Mechanisms can be enabled individually in `mk.conf`, and are |
|
individually described below. They are sorted by whether thery are |
|
enabled by default, and then by their ordering in mk/defaults/mk.conf. |
|
|
|
## Enabled by default in the stable branch |
|
|
* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent |
|
Executables) when supported on the current platform. This option is necessary |
|
to fully leverage ASLR as a mitigation for security vulnerabilities. |
|
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used |
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used |
functions that do not bounds checking regularly - but could in some cases |
functions that do not bounds checking regularly - but could in some cases |
(enabled by default since pkgsrc-2017Q3) |
(enabled by default since pkgsrc-2017Q3) |
|
|
|
* 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled |
|
by default where known supported since pkgsrc-2017Q3) |
|
|
|
## Enabled by default in pkgsrc HEAD |
|
|
|
## Not enabled by default |
|
|
|
* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent |
|
Executables) when supported on the current platform. With PIE |
|
executables, a platform that supports ASLR will be able to randomize |
|
the process layout. |
|
|
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security |
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security |
vulnerabilities more difficult in some cases. |
vulnerabilities more difficult in some cases. |
* `PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled |
|
by default where known supported since pkgsrc-2017Q3) |
|
* `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack |
* `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack |
protection mitigation. |
protection mitigation. |
|
|