id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 481 Executable missing platform security integrations Jeffrey Walton "Modern Linux and Unix platfroms provide a number of platform security measures to remediate unanticipated threats. It appear nginx is not using any of them. {{{ $ checksec.sh --file ./objs/nginx RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH ./objs/nginx }}} RELRO can be achieved with linker options -z,relro and -z,now. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt. Stack canaries can be achieved with -fstack-protector or -fstack-protector-all. -fstack-protector-all is probably most appropriate since nginx is a high risk application. Its high risk because it accepts input from the internet. PIE consists of compiler option -fPIE and linker option -pie. Unfortunately, the configure system fails when trying to pass them through --with-ld-opt. No RPATH and No RUNPATH are OK as is. Some folks may have to use RPATH to avoid using some system supplied libraries. NX enabled are no-exec stacks and heaps. I'm not sure where they are comping from on this Debian machine because its not in gcc's spec file or in nginx's Makefile. It might be a good idea to test for the features during configuration and explicitly set the options if available. The options of interest are -z,noexecstack and -z,noexecheap. -z,noexecheap is available on PaX enabled kernels like Gentoo. Checksec is quick-and-dirty audit script by Tobias Klein and can be downloaded from http://www.trapkit.de/tools./checksec.html." enhancement closed major nginx-core 1.5.x worksforme compiler linker hardening Linux debian-q500 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux "$ ./objs/nginx -V nginx version: nginx/1.5.9 TLS SNI support enabled configure arguments: --with-debug --with-http_ssl_module --without-http_split_clients_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-cc-opt=-I/usr/local/ssl/include -ldl' "