Bug 700 – [patch] add a configure option to build with full read-only relocation

Bug 700 - [patch] add a configure option to build with full read-only relocation


Summary:	[patch] add a configure option to build with full read-only relocation

Status:	RESOLVED FIXED

Product:	unbound
Classification:	Unclassified
Component:	server
Version:	unspecified
Hardware:	x86_64 Linux

Importance:	P5 enhancement
Assigned To:	unbound team

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-08-25 17:09 CEST by Remi Gacogne
Modified:	2015-08-28 16:33 CEST (History)
CC List:	2 users (show)

See Also:

Attachments
Patch to add a --enable-relro-now option to unbound's configure (1.45 KB, patch) 2015-08-25 17:09 CEST, Remi Gacogne	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Remi Gacogne 2015-08-25 17:09:09 CEST

Created attachment 295 [details]
Patch to add a --enable-relro-now option to unbound's configure

Compiling unbound with full RELRO would prevent attackers from overwriting the GOT and .dtors. It implies a small startup penalty but that should not be a problem for a long-standing daemon.
A lot of distributions are enabling full RELRO for network daemons (Gentoo Hardened, Debian, Fedora) and adding a configure option to enable it in unbound would make it easier.

Attached is a proposal to add such an option. Due to my lack of experience with autotools, I am not sure it is the best way to add such an option though.

Comment 1 Wouter Wijngaards 2015-08-28 16:33:21 CEST

Hi Remi,

Thank you for your patch.  It is well written, and I have integrated it.  (also in NSD!).  I hope this can increase the security of the server.

Best regards, Wouter