|
version 1.21, 2017/09/07 11:32:21
|
version 1.22, 2017/11/05 23:07:27
|
|
Line 1
|
Line 1
|
| [[!meta title="Hardening pkgsrc"]] |
[[!meta title="Hardening pkgsrc"]] |
| |
|
| A number of mechanisms are available in [pkgsrc](https://www.pkgsrc.org/) to |
A number of mechanisms are available in |
| improve the security of the resulting system. They can be enabled individually |
[pkgsrc](https://www.pkgsrc.org/) to improve the security of the |
| in `mk.conf`, and consist of: |
resulting system. This page describes the mechanisms, and gives hints |
| |
about detecting and fixing problems. |
| |
|
| |
# Mechanisms |
| |
|
| |
Mechanisms can be enabled individually in `mk.conf`, and are |
| |
individually described below. They are sorted by whether thery are |
| |
enabled by default, and then by their ordering in mk/defaults/mk.conf. |
| |
|
| |
## Enabled by default in the stable branch |
| |
|
| * `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent |
|
| Executables) when supported on the current platform. This option is necessary |
|
| to fully leverage ASLR as a mitigation for security vulnerabilities. |
|
| * `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used |
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used |
| functions that do not bounds checking regularly - but could in some cases |
functions that do not bounds checking regularly - but could in some cases |
| (enabled by default since pkgsrc-2017Q3) |
(enabled by default since pkgsrc-2017Q3) |
| |
|
| |
* 'PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled |
| |
by default where known supported since pkgsrc-2017Q3) |
| |
|
| |
## Enabled by default in pkgsrc HEAD |
| |
|
| |
## Not enabled by default |
| |
|
| |
* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent |
| |
Executables) when supported on the current platform. With PIE |
| |
executables, a platform that supports ASLR will be able to randomize |
| |
the process layout. |
| |
|
| * `PKGSRC_USE_RELRO`: this also makes the exploitation of some security |
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security |
| vulnerabilities more difficult in some cases. |
vulnerabilities more difficult in some cases. |
| * `PKGSRC_USE_SSP`: enables a stack-smashing protection mitigation (enabled |
|
| by default where known supported since pkgsrc-2017Q3) |
|
| * `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack |
* `PKGSRC_USE_STACK_CHECK`: uses `-fstack-check` with GCC for another stack |
| protection mitigation. |
protection mitigation. |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to hardening.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / pkgsrc