meta title="Debian: not stale, just hardened"
Raphaƫl Hertzog recently announced
a new dpkg-buildflags interface in dpkg that at long last gives the
distribution, the package maintainers, and users the control they want over
the build flags used when building packages.
The announcement mail gives all the gory details about how to invoke
dpkg-buildflags in your build to be compliant; but the nice thing is, if
you're using dh(1) with debian/compat=9, debhelper does it for you
automatically so long as you're using a build system that it knows how to
pass compiler flags to.
So for the first time, /usr/share/doc/debhelper/examples/rules.tiny can now
be used as-is to provide a policy-compliant package by default (setting
-g -O2 or -g -O0 for your build regardless of how debian/rules is
invoked).
Of course, none of my packages actually work that way; among other things I
have a habit of liberally sprinkling DEB_MAINT_CFLAGS_APPEND := -Wall
in my rules, and sometimes DEB_LDFLAGS_MAINT_APPEND := -Wl,-z,defs and
DEB_CFLAGS_MAINT_APPEND := $(shell getconf LFS_CFLAGS) as well. And my
upstreams' build systems rarely work 100% out of the box with dh_auto_*
without one override or another somewhere. So in practice, the shortest
debian/rules file in any of my packages seems to be 13 lines currently.
But that's 13 lines of almost 100% signal, unlike the bad old days of cut'n'pasted dh_* command lists.
The biggest benefit, though, isn't in making it shorter to write a rules file with the old, standard build options. The biggest benefit is that dpkg-buildflags now also outputs build-hardening compiler and linker flags by default on Debian. Specifically, using the new interface lets you pick up all of these hardening flags for free:
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wl,-z,relro
It also lets you get -fPIE and -Wl,-z,now by adding this one line to
your debian/rules (assuming you're using dh(1) and compat 9):
export DEB_BUILD_MAINT_OPTIONS := hardening=+pie,+bindnow
Converting all my packages to use dh(1) has always been a long-term goal,
but some packages are easier to convert than others. This was the tipping
point for me, though. Even though debhelper compat level 9 isn't yet frozen,
meaning there might still be other behavior changes to it that will make more
work for me between now and release, over the past couple of weekends I've
been systematically converting all my packages to use it with dh. In
particular, pam and samba have been rebuilt to use the default hardening
flags, and openldap uses these flags plus PIE support. (Samba already
builds with PIE by default courtesy of upstream.)
You can't really make samba and openldap out on the graph, but they're there (with their rules files reduced by 50% or more).
I cannot overstate the significance of proactive hardening. There have been
a number of vulnerabilities over the past few years that have been thwarted
on Ubuntu because Ubuntu is using -fstack-protector by default. Debian has
a great security team that responds quickly to these issues as soon as
they're revealed, but we don't always get to find out about them before
they're already being exploited in the wild. In this respect, Debian has
lagged behind other distros.
With dpkg-buildflags, we now have the tools to correct this. It's just a matter of getting packages to use the new interfaces. If you're a maintainer of a security sensitive package (such as a network-facing daemon or a setuid application), please enable dpkg-buildflags in your package for wheezy! (Preferably with PIE as well.) And if you don't maintain security sensitive packages, you can still help out with the hardening release goal.