From b619f0c74719d87f58b0ea0053805b7423cdab28 Mon Sep 17 00:00:00 2001 From: bdrewery Date: Tue, 19 Aug 2014 15:04:32 +0000 Subject: Revert r267233 for now. PIE support needs to be reworked. 1. 50+% of NO_PIE use is fixed by adding -fPIC to INTERNALLIB and other build-only utility libraries. 2. Another 40% is fixed by generating _pic.a variants of various libraries. 3. Some of the NO_PIE use is a bit absurd as it is disabling PIE (and ASLR) where it never would work anyhow, such as csu or loader. This suggests there may be better ways of adding support to the tree. Many of these cases can be fixed such that -fPIE will work but there is really no reason to have it in those cases. 4. Some of the uses are working around hacks done to some Makefiles that are really building libraries but have been using bsd.prog.mk because the code is cleaner. Had they been using bsd.lib.mk then NO_PIE would not have been needed. We likely do want to enable PIE by default (opt-out) for non-tree consumers (such as ports). For in-tree though we probably want to only enable PIE (opt-in) for common attack targets such as remote service daemons and setuid utilities. This is also a great performance compromise since ASLR is expected to reduce performance. As such it does not make sense to enable it in all utilities such as ls(1) that have little benefit to having it enabled. Reported by: kib --- usr.sbin/ftp-proxy/ftp-proxy/Makefile | 2 -- 1 file changed, 2 deletions(-) (limited to 'usr.sbin/ftp-proxy') diff --git a/usr.sbin/ftp-proxy/ftp-proxy/Makefile b/usr.sbin/ftp-proxy/ftp-proxy/Makefile index 686bac4..de49888 100644 --- a/usr.sbin/ftp-proxy/ftp-proxy/Makefile +++ b/usr.sbin/ftp-proxy/ftp-proxy/Makefile @@ -14,6 +14,4 @@ DPADD+= ${LIBEVENT} WARNS?= 3 -NO_PIE= yes - .include -- cgit v1.1