I don’t always compile software from source, but when I do I add a few flags.
Almost all of the software on this system is from rpm packages, which RedHat/Fedora uses many of these flags when they compile their packages.
To make things easy, I have a couple aliases in my bashrc:
export myCFLAGS=”-Wall -D_FORTIFY_SOURCE=2 -O2 -pipe -fPIE -pie -fstack-protector-all”
export myLDFLAGS=”-Wl,-z,now -Wl,-z,relro”
When I compile software with configure, I add CFLAGS=$myCFLAGS LDFLAGS=$myLDFLAGS at the end of the configure command.
Here are the CFLAGS I add when compiling:
|-fstack-protector-all||Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. You can read more about it here: https://en.wikipedia.org/wiki/Buffer_overflow_protection|
|-D_FORTIFY_SOURCE=2||Defining this macro causes some lightweight checks to be performed to detect some buffer overflow errors when various string and memory manipulation functions.|
|-fPIE||Enable Position Independent Executable used for ASLR (Address Space Layout Randomization). You can read about it here: https://en.wikipedia.org/wiki/Address_space_layout_randomization and here: https://en.wikipedia.org/wiki/Position-independent_code|
|-pie||I’m not sure how this is different from -fPIE. Something to do with the linker.|
Here are the LDLAGS I add when compiling:
|-Wl, -z,now||When used in combination with RELRO, BIND_NOW prevents the full global offset table (GOT) from being overwritten.|
|-Wl,-z,relro||Read-only relocations (RELRO) allow sections of an executable that need to be writable only while a program is loading to be marked read-only before the program starts.|