Hardening options for C and C++ in Slackware
by teoberi from LinuxQuestions.org on (#6H23C)
I started documenting myself about this topic some time ago when I was trying to compile the 7-Zip archiver from sources. I got the first information about these compilation options from Arch Linux and OpenSUSE. Then I started to study how this is done in other distributions, i.e. Debian, Ubuntu, Fedora, OpenSUSE, Gentoo.
I found the document here which is quite clear and has references to the documentation of the distributions mentioned above.
In the case of Slackware, the SlackBuilds have the SLKCFLAGS variable that contains the "-O2" option plus a few more (depends on the package) and which is then transferred to CFLAGS in the configuration stage.
Macros (variables) CPPFLAGS, CXXFLAGS, LDFLAGS do not appear.
I found somewhere that these options would be of less importance for home users (if they don't care about the security of their operating system) but they are important for servers.
Is there interest in this in Slackware?
I am in the process of securing the packages compiled by me (and they are not few, I compile from sources even some packages that already exist in Slackware but not in the configuration I need).
Now I use the following macros in the configuration stage:
CPPFLAGS="-O2 -D_FORTIFY_SOURCE=2"
CFLAGS="-fPIE -fstack-protector-strong"
CXXFLAGS="-fPIE -fstack-protector-strong"
LDFLAGS="-Wl,-pie,-z,now,-s"
I built the packages from sources like this:
7-Zip;
DCC (Distributed Checksum Clearinghouses);
and
Squid.
Testing the application of these options is done with the utility here.
I found the document here which is quite clear and has references to the documentation of the distributions mentioned above.
In the case of Slackware, the SlackBuilds have the SLKCFLAGS variable that contains the "-O2" option plus a few more (depends on the package) and which is then transferred to CFLAGS in the configuration stage.
Macros (variables) CPPFLAGS, CXXFLAGS, LDFLAGS do not appear.
I found somewhere that these options would be of less importance for home users (if they don't care about the security of their operating system) but they are important for servers.
Is there interest in this in Slackware?
I am in the process of securing the packages compiled by me (and they are not few, I compile from sources even some packages that already exist in Slackware but not in the configuration I need).
Now I use the following macros in the configuration stage:
CPPFLAGS="-O2 -D_FORTIFY_SOURCE=2"
CFLAGS="-fPIE -fstack-protector-strong"
CXXFLAGS="-fPIE -fstack-protector-strong"
LDFLAGS="-Wl,-pie,-z,now,-s"
I built the packages from sources like this:
7-Zip;
DCC (Distributed Checksum Clearinghouses);
and
Squid.
Testing the application of these options is done with the utility here.