From a7bed56845b3d0c2bed37e88e3ba49e40fb2b114 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 16 Jun 2020 10:38:46 +0200 Subject: [PATCH 1/2] Disable and disallow static linking Linking BIND 9 programs and libraries statically disables several important features: * dlopen() - relied on by dynamic loading of modules, dlz, and dyndb, * RELRO (read-only relocations) and ASLR (address space layout randomization) - security features which are important for any program interacting with the network and/or user input. Disable and disallow linking BIND 9 binaries statically, thus enforcing dlopen() support and allowing use of RELRO and ASLR by default. --- configure.ac | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 53d2116daa..6a651da2e5 100644 --- a/configure.ac +++ b/configure.ac @@ -119,7 +119,10 @@ AX_POSIX_SHELL AC_PROG_MKDIR_P # Initialize libtool -LT_INIT([dlopen]) +LT_INIT([disable-static dlopen pic-only]) + +AS_IF([test $enable_static != "no"], + [AC_MSG_ERROR([Static linking is not supported as it disables dlopen() and certain security features (e.g. RELRO, ASLR)])]) LT_CONFIG_LTDL_DIR([libltdl]) LTDL_INIT([recursive]) From 7f24d4b4764d6cb8665cf1ca8118ad7eef991eff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 17 Jun 2020 14:28:23 +0200 Subject: [PATCH 2/2] Add CHANGES and release note for #1933 --- CHANGES | 2 ++ doc/notes/notes-current.rst | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 4d69ed5372..1ef3b55bf8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5445. [cleanup] Disable and disallow static linking. [GL #1933] + 5444. [bug] 'rndc dnstap -roll ' was not limiting the number of saved files to . [GL !3728] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 862929d49e..8c6e86a3b9 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -29,7 +29,12 @@ New Features Feature Changes ~~~~~~~~~~~~~~~ -- None. +- Disable and disallow static linking of BIND 9 binaries and libraries + as BIND 9 modules require ``dlopen()`` support and static linking also + prevents using security features like read-only relocations (RELRO) or + address space layout randomization (ASLR) which are important for + programs that interact with the network and process arbitrary user + input. [GL #1933] Bug Fixes ~~~~~~~~~