[[!meta title="Hardening pkgsrc"]]
[pkgsrc](http://www.pkgsrc.org/) supports a number of mechanisms that are meant
to improve the security of compiled binaries. They can be individually enabled
in `mk.conf`, and consist of:
* `PKGSRC_MKPIE`: forces the creation of PIE (Position Independent
Executables) when supported on the current platform. This option is necessary
to fully leverage ASLR as a mitigation for security vulnerabilities.
* `PKGSRC_USE_FORTIFY`: allows substitute wrappers to be used for commonly used
functions that do not bounds checking regularly - but could in some cases.
* `PKGSRC_USE_RELRO`: this also makes the exploitation of some security
vulnerabilities more difficult in some cases.
* `PKGSRC_USE_SSP`: enables stack-smashing protection (again, on supported
platforms)
# Caveats
## Problems with `PKGSRC_MKPIE`
### No support for cwrappers
As of the time of this article `PKGSRC_MKPIE` is not supported by
`pkgtools/cwrappers` (`USE_CWRAPPERS` in `mk.conf`).
### Packages failing to build
A number of packages may fail to build with this option enabled. The failures
are often related to the absence of the "-fPIC" compilation flag when building
libraries or executables (or ideally "-fPIE" in the latter case). This flag is
added to the `CFLAGS` already, but requires the package to actually support it.
#### How to fix
These instructions are meant as a reference only; they likely need to be adapted
for many packages individually.
For packages using `Makefiles`:
MAKE_FLAGS+= CFLAGS=${CFLAGS:Q}
MAKE_FLAGS+= LDFLAGS=${LDFLAGS:Q}
For packages using `Imakefiles`:
MAKE_FLAGS+= CCOPTIONS=${CFLAGS:Q}
MAKE_FLAGS+= LOCAL_LDFLAGS=${LDFLAGS:Q}
### Run-time crashes
Some programs may fail to run, or crash at random times once built as PIE. Two
scenarios are essentially possible:
* actual bug in the program crashing, exposed thanks to ASLR/mprotect;
* bug in the implementation of ASLR/mprotect in the Operating System.
## Problems with `PKGSRC_USE_FORTIFY`
### Packages failing to build
This feature makes use of pre-processing directives to look for hardened,
alternative implementations of essential library calls. Some programs may fail
to build as a result; this usually happens for those trying too hard to be
portable, or otherwise abusing definitions in the standard library.
This will require a modification to the program, or disabling this feature for
part or all of the build.
### Run-time crashes
Just like with `PKGSRC_MKPIE` above, this feature may cause some programs to
crash, usually indicating an actual bug in the program. The fix will typically
involve patching the original program.
## Problems with `PKGSRC_USE_SSP`
### Packages failing to build
The stack-smashing protection provided by this option does not work for some
programs. The two most common situations in which this happens are:
* the program makes use of the `alloca(3)` library call (memory allocator on the
stack)
* the program allocates variables on the stack, with the size determined at
run-time.
Both cases will require a modification to the program, or disabling this feature
for part or all of the build.
### Run-time crashes
Again, this feature may cause some programs to crash, usually indicating an
actual bug in the program. Patching the original program is then required.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb