Bug 700 - [patch] add a configure option to build with full read-only relocation
[patch] add a configure option to build with full read-only relocation
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 17:09 CEST by Remi Gacogne
Modified: 2015-08-28 16:33 CEST (History)
2 users (show)

See Also:


Attachments
Patch to add a --enable-relro-now option to unbound's configure (1.45 KB, patch)
2015-08-25 17:09 CEST, Remi Gacogne
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Remi Gacogne 2015-08-25 17:09:09 CEST
Created attachment 295 [details]
Patch to add a --enable-relro-now option to unbound's configure

Compiling unbound with full RELRO would prevent attackers from overwriting the GOT and .dtors. It implies a small startup penalty but that should not be a problem for a long-standing daemon.
A lot of distributions are enabling full RELRO for network daemons (Gentoo Hardened, Debian, Fedora) and adding a configure option to enable it in unbound would make it easier.

Attached is a proposal to add such an option. Due to my lack of experience with autotools, I am not sure it is the best way to add such an option though.
Comment 1 Wouter Wijngaards 2015-08-28 16:33:21 CEST
Hi Remi,

Thank you for your patch.  It is well written, and I have integrated it.  (also in NSD!).  I hope this can increase the security of the server.

Best regards, Wouter