Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#481 closed enhancement (worksforme)

Executable missing platform security integrations

Reported by: Jeffrey Walton Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.5.x
Keywords: compiler linker hardening Cc:
uname -a: Linux debian-q500 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
nginx -V: $ ./objs/nginx -V
nginx version: nginx/1.5.9
TLS SNI support enabled
configure arguments: --with-debug --with-http_ssl_module --without-http_split_clients_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-cc-opt=-I/usr/local/ssl/include -ldl'

Description

Modern Linux and Unix platfroms provide a number of platform security measures to remediate unanticipated threats. It appear nginx is not using any of them.

$ checksec.sh --file ./objs/nginx
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   ./objs/nginx

RELRO can be achieved with linker options -z,relro and -z,now. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt.

Stack canaries can be achieved with -fstack-protector or -fstack-protector-all. -fstack-protector-all is probably most appropriate since nginx is a high risk application. Its high risk because it accepts input from the internet.

PIE consists of compiler option -fPIE and linker option -pie. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt.

No RPATH and No RUNPATH are OK as is. Some folks may have to use RPATH to avoid using some system supplied libraries.

NX enabled are no-exec stacks and heaps. I'm not sure where they are comping from on this Debian machine because its not in gcc's spec file or in nginx's Makefile. It might be a good idea to test for the features during configuration and explicitly set the options if available. The options of interest are -z,noexecstack and -z,noexecheap. -z,noexecheap is available on PaX enabled kernels like Gentoo.

Checksec is quick-and-dirty audit script by Tobias Klein and can be downloaded from http://www.trapkit.de/tools./checksec.html.

Change History (5)

comment:1 by Maxim Dounin, 7 years ago

Resolution: worksforme
Status: newclosed

The --with-cc-opt and --with-ld-opt configure options can be used to configure needed compiler and linker options.

Note that cc command is used for linking, and some linker flags may require different spelling on some platforms (e.g., -Wl,-z,relro instead of just -z,relro), see your compiler documentation for details.

comment:2 by Jeffrey Walton, 7 years ago

The --with-cc-opt and --with-ld-opt configure options can be used to

OK, so the confusion here seems to be --with-ld-opt are not translated into linker options (i.e., LDFLAGS). See, for example, https://www.gnu.org/software/make/manual/make.html#Implicit-Variables.

closed enhancement (worksforme)

Well, that's unfortunate. It does not appear to be working well all the time. I can't help but wonder why some of these remediations are not used out of the box given past failures like CVE-2013-2028, CVE-2012-2089 and CVE-2011-4315. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=nginx.

Until nginx write 100% bug free code, it really should consider taking advantage of some of the platform security options offered. They work in practice and cost nearly nothing in terms of performance.

in reply to:  2 ; comment:3 by Sergey Budnevitch, 7 years ago

Replying to Jeffrey Walton:

The --with-cc-opt and --with-ld-opt configure options can be used to

OK, so the confusion here seems to be --with-ld-opt are not translated into linker options (i.e., LDFLAGS). See, for example, https://www.gnu.org/software/make/manual/make.html#Implicit-Variables.

It seems you are using debian7. For those who unfamiliar with compiling nginx we provide prebuilt packages. They were compiled with distribution suggested security options, for example, nginx for debian7:

% /usr/sbin/nginx -V
nginx version: nginx/1.5.8
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

in reply to:  3 comment:4 by Jeffrey Walton, 7 years ago

Replying to Sergey Budnevitch:

Replying to Jeffrey Walton:

The --with-cc-opt and --with-ld-opt configure options can be used to

OK, so the confusion here seems to be --with-ld-opt are not translated into linker options (i.e., LDFLAGS). See, for example, https://www.gnu.org/software/make/manual/make.html#Implicit-Variables.

It seems you are using debian7. For those who unfamiliar with compiling nginx we provide prebuilt packages.

My problems is more related to the custom build system. That's clearly my gap, and it will be closed as I learn more about the way the project does things.

They were compiled with distribution suggested security options, for example, nginx for debian7:

% /usr/sbin/nginx -V
nginx version: nginx/1.5.8
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

I'm not convinced nginx was not compiled with all suggested Debian security options. For example, -fPIE/-pie are missing. As another example, -Wl,-z,now is missing. Debian's hardening page can be found at https://wiki.debian.org/Hardening.

Nginx is a high risk application, and there's nothing anyone can do to change it. Nginx is high risk because it opens listening sockets as root and accepts input from untrusted internet sources. It has nothing to do with the developers or their code quality (which I think is quite good, for what its worth). Other's, such as Apache and Pidgin IM, fall into the same category.

For high risk applications, -fstack-protector-all is warranted. That's because -fstack-protector only guards functions with high risk objects such as C strings, while -fstack-protector-all guards stack frames with all objects.

This has nothing to do with someone not knowing how to compile sources. Its your project and you're free to do what you want with it (I appreciate the help of Max and others). But disregarding some of these options could have security implications for everyone (not just me), especially for buffer overflows and remote code executions.

comment:5 by Jeffrey Walton, 7 years ago

Here are some examples of HowTo's that manage to miss every security feature. They are the top Google hits, and I simply went right down the line looking at the article's steps . Its the reason the nginx project needs to get it right - because others are not (including the Debian maintainers).

"How To Compile Nginx from Source on an CentOS 6.4 x64 VPS", https://www.digitalocean.com/community/articles/how-to-compile-nginx-from-source-on-an-centos-6-4-x64-vps.

"Install nginx from sources on Ubuntu", http://blog.thehippo.de/2012/12/server/install-nginx-from-source-on-ubuntu/.

"Install_nginx_from_src_with_module.sh", https://gist.github.com/zefer/829289.

"How to compile nginx / fcgi / PHP from scratch in CentOS 5 the CORRECT way", http://journal.suteki.nu/2010/04/25/how-to-compile-nginx-fcgi-fastcgi-php-from-scratch-in-centos-5-the-correct-way/.

"Webfaction: Compiling & Installing A Custom Nginx Instance", https://jamie.curle.io/blog/webfaction-installing-custom-nginx/.

"How to compile your own Nginx and Passenger", http://extralogical.net/articles/howto-compile-nginx-passenger.html.

Note: See TracTickets for help on using tickets.