[[!meta title="Hardening pkgsrc"]]
[pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
to improve the security of compiled binaries. They can be individually enabled
in `mk.conf`, and consist of:
* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
Executables) when supported on the current platform. This option is necessary
to fully leverage ASLR as a mitigation for security vulnerabilities.
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
functions that do not bounds checking regularly - but could in some cases.
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
vulnerabilities more difficult in some cases.
* `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
## Problems with `PKGSRC_MKPIE`
### No support for cwrappers
As of the time of this article `PKGSRC_MKPIE` is not supported by
`pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
### Packages failing to build
A number of packages may fail to build with this option enabled. The failures
are often related to the absence of the "-fPIC" compilation flag when building
libraries or executables (or ideally "-fPIE" in the latter case). This flag is
added to the `CFLAGS` already, but requires the package to actually support it.
#### How to fix
These instructions are meant as a reference only; they likely need to be adapted
for many packages individually.
For packages using `Makefiles`:
For packages using `Imakefiles`:
### Run-time crashes
Some programs may fail to run, or crash at random times once built as PIE. Two
scenarios are essentially possible:
* actual bug in the program crashing, exposed thanks to ASLR/mprotect;
* bug in the implementation of ASLR/mprotect in the Operating System.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb