Bugzilla – Bug 700
[patch] add a configure option to build with full read-only relocation
Last modified: 2015-08-28 16:33:21 CEST
Created attachment 295 [details] Patch to add a --enable-relro-now option to unbound's configure Compiling unbound with full RELRO would prevent attackers from overwriting the GOT and .dtors. It implies a small startup penalty but that should not be a problem for a long-standing daemon. A lot of distributions are enabling full RELRO for network daemons (Gentoo Hardened, Debian, Fedora) and adding a configure option to enable it in unbound would make it easier. Attached is a proposal to add such an option. Due to my lack of experience with autotools, I am not sure it is the best way to add such an option though.
Hi Remi, Thank you for your patch. It is well written, and I have integrated it. (also in NSD!). I hope this can increase the security of the server. Best regards, Wouter