Bugzilla – Bug 700
[patch] add a configure option to build with full read-only relocation
Last modified: 2015-08-28 16:33:21 CEST
Created attachment 295 [details]
Patch to add a --enable-relro-now option to unbound's configure
Compiling unbound with full RELRO would prevent attackers from overwriting the GOT and .dtors. It implies a small startup penalty but that should not be a problem for a long-standing daemon.
A lot of distributions are enabling full RELRO for network daemons (Gentoo Hardened, Debian, Fedora) and adding a configure option to enable it in unbound would make it easier.
Attached is a proposal to add such an option. Due to my lack of experience with autotools, I am not sure it is the best way to add such an option though.
Thank you for your patch. It is well written, and I have integrated it. (also in NSD!). I hope this can increase the security of the server.
Best regards, Wouter