Re: [autoconf] Problems Configuring (C Compiler cannot produce executables)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeffrey Walton <noloader@xxxxxxxxx> writes:

> Debian does a good job. I think there is room for improvement (such as
> DEP and ASLR), and hope the maintainers stiffen their security posture
> in the future. The idea: make it secure out of the box, and let those
> who want to shot themselves in the foot do so. For example, apply
> -z,noexecstack out of the box, and let folks turn it off with
> -z,execstack.

Right.  Debian took a fairly conservative approach (in fact, pie and
bindnow are off by default, but can be easily turned on) because we were
trying to do something archive-wide without having to make a lot of
special exceptions.  Being able to turn of executable stack as at least
another easily-accessible option is an interesting idea, and I may raise
that on debian-devel.  (Although it can be a little hard to predict which
packages need that.  Hm, and I seem to recall that GCC does some stuff
with executable stack automatically.)

> This was a very good point and I had to think about it for a while.

> Are there Autoconf variable for this? For example, rather than:
>   ./configure "CFLAGS=..." "CXXFLAGS=..."

> could we instead use Autoconf defined stuff:
>   ./configure "ac_warnings=-Wall -Wextra -Wconversion" \
>     "ac_cflags=-fstack-protector-all..." \
>     ac_so_flags=... ac_exe_flags=...

There are not, at least so far as I know.

It's a little tricky to add the flags after the fact unless you override
all of CFLAGS at build time and provide the full set of hardening flags
again.  One of the standard tricks is to override CC instead, with
something like:

    make CC="gcc -Wall -Wextra"

> Autoconf could use ac_cflags as it being used now(?) and save
> ac_warnings for later use (by Automake?) when real source files are
> compiled.

It would be nice to have some additional support directly in standard
Autoconf macros for handling compiler warning flags, although I suspect
there is stuff in both the macro archive and in gnulib.

-- 
Russ Allbery (rra@xxxxxxxxxxxx)             <http://www.eyrie.org/~eagle/>

_______________________________________________
Autoconf mailing list
Autoconf@xxxxxxx
https://lists.gnu.org/mailman/listinfo/autoconf
[Index of Archives]     [GCC Help]     [Kernel Discussion]     [RPM Discussion]     [Red Hat Development]     [Yosemite News]     [Linux USB]     [Samba]
  Powered by Linux