Re: kill prelink

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 6, 2012 at 5:35 PM, Ricky Zhou <ricky@xxxxxxxxxxxxxxxxx> wrote:
> On 2012-02-06 11:59:53 AM, Bill Nottingham wrote:
>> Stephen John Smoogen (smooge@xxxxxxxxx) said:
>> > > > Discussion from irc today pointed out the..... difficulty with our
>> > > > security with prelink running on our systems.
>>
>> Is this a general issue that should be pushed up the stack?
> I think the "difficulty with our security" bit was referring to some
> weirdness which caused issues with the needs-restarting utility.
> However, I do have other reasons for questioning the need for prelink in
> Fedora in general.
>
> My main issue is that with prelink enabled, non-PIE binaries essentially
> have library address randomization disabled (they are still randomized
> every 2 weeks when prelink runs, but the addresses stay the same in
> between).  This makes many types of security bugs far easier to exploit
> on Fedora than on distros without prelink.
>
> One argument against this point is that we should just enable PIE on
> apps which are security-sensitive, or which are likely to be exploited.
> While I definitely don't disagree with this point, I think we're very
> far from having that happen, and in addition, doing so would cause us to
> lose many of the speedups that prelink is supposed to give (progams
> which need to handle a lot of potentially untrusted inputs, like
> openoffice, should then have PIE enabled).
>
> With all this in mind, I'd definitely be interested in seeing a
> discussion about whether prelink should stay enabled by default on
> Fedora.
>
> Thanks,
> Ricky
>
> _______________________________________________
> infrastructure mailing list
> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure

also 80% + packages from rpmfusion uses prelink.


-- 
------------

Itamar Reis Peixoto
msn, google talk: itamar@xxxxxxxxxxxxxxxx
+55 11 4063 5033 (FIXO SP)
+55 34 9158 9329 (TIM)
+55 34 8806 3989 (OI)
+55 34 3221 8599 (FIXO MG)
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux