I don’t always compile software from source, but when I do I add a few flags.
Almost all of the software on this system is from rpm packages, which RedHat/Fedora uses many of these flags when they compile their packages.
To make things easy, I have a couple aliases in my bashrc:
export myCFLAGS=”-Wall -D_FORTIFY_SOURCE=2 -O2 -pipe -fPIE -pie -fstack-protector-all”
export myLDFLAGS=”-Wl,-z,now -Wl,-z,relro”
When I compile software with configure, I add CFLAGS=$myCFLAGS LDFLAGS=$myLDFLAGS at the end of the configure command.
Here are the CFLAGS I add when compiling:
flag | description |
---|---|
-fstack-protector-all | Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. You can read more about it here: https://en.wikipedia.org/wiki/Buffer_overflow_protection |
-D_FORTIFY_SOURCE=2 | Defining this macro causes some lightweight checks to be performed to detect some buffer overflow errors when various string and memory manipulation functions. |
-fPIE | Enable Position Independent Executable used for ASLR (Address Space Layout Randomization). You can read about it here: https://en.wikipedia.org/wiki/Address_space_layout_randomization and here: https://en.wikipedia.org/wiki/Position-independent_code |
-pie | I’m not sure how this is different from -fPIE. Something to do with the linker. |
Here are the LDLAGS I add when compiling:
flag | description |
---|---|
-Wl, -z,now | When used in combination with RELRO, BIND_NOW prevents the full global offset table (GOT) from being overwritten. |
-Wl,-z,relro | Read-only relocations (RELRO) allow sections of an executable that need to be writable only while a program is loading to be marked read-only before the program starts. |