executable stack flag
Hi, We noticed [1] in Fedora that ghc (7.4 and 7.6) are linking executables (again [2]) with the executable stack flag set. I haven't starting looking at the ghc code yet but wanted to ask first if it is intentional/necessary? (ghc-7.0 doesn't seem to do this.) Having the flag set is considered a bit of a security risk so it would be better if all generated executable did not have it set. I did some very basic testing of various executables, clearing their flags [3] and they all seemed to run ok without the executable stack flag set but I can't claim to have tested very exhaustively. (I thought perhaps it might be related to TemplateHaskell for example but even those executables seem to work, though I am sure I have not exercised all the code paths.) Does someone know the current status of this? Will anything break if the flag is not set? Is it easy to patch ghc to not set the flag? Does it only affect the NCG backend? Thanks, Jens [1] https://bugzilla.redhat.com/show_bug.cgi?id=973512 [2] http://ghc.haskell.org/trac/ghc/ticket/703 [3] using "execstack -c"
I took a look at the logs and none mentioned 'Hey, so it turns out we need executable stack for this', and as recently as Sep 17, 2011 there are patches for turning off executable stack (courtesy Gentoo). So probably it is just a regression, someone added some code which didn't turn off executable stacks... Edward Excerpts from Jens Petersen's message of Mon Jul 08 21:36:42 -0700 2013:
Hi,
We noticed [1] in Fedora that ghc (7.4 and 7.6) are linking executables (again [2]) with the executable stack flag set. I haven't starting looking at the ghc code yet but wanted to ask first if it is intentional/necessary? (ghc-7.0 doesn't seem to do this.) Having the flag set is considered a bit of a security risk so it would be better if all generated executable did not have it set.
I did some very basic testing of various executables, clearing their flags [3] and they all seemed to run ok without the executable stack flag set but I can't claim to have tested very exhaustively. (I thought perhaps it might be related to TemplateHaskell for example but even those executables seem to work, though I am sure I have not exercised all the code paths.)
Does someone know the current status of this? Will anything break if the flag is not set? Is it easy to patch ghc to not set the flag? Does it only affect the NCG backend?
Thanks, Jens
[1] https://bugzilla.redhat.com/show_bug.cgi?id=973512 [2] http://ghc.haskell.org/trac/ghc/ticket/703 [3] using "execstack -c"
I've gone ahead and fixed it, and referenced the patches in the ticket. Cheers, Edward Excerpts from Jens Petersen's message of Mon Jul 08 21:36:42 -0700 2013:
Hi,
We noticed [1] in Fedora that ghc (7.4 and 7.6) are linking executables (again [2]) with the executable stack flag set. I haven't starting looking at the ghc code yet but wanted to ask first if it is intentional/necessary? (ghc-7.0 doesn't seem to do this.) Having the flag set is considered a bit of a security risk so it would be better if all generated executable did not have it set.
I did some very basic testing of various executables, clearing their flags [3] and they all seemed to run ok without the executable stack flag set but I can't claim to have tested very exhaustively. (I thought perhaps it might be related to TemplateHaskell for example but even those executables seem to work, though I am sure I have not exercised all the code paths.)
Does someone know the current status of this? Will anything break if the flag is not set? Is it easy to patch ghc to not set the flag? Does it only affect the NCG backend?
Thanks, Jens
[1] https://bugzilla.redhat.com/show_bug.cgi?id=973512 [2] http://ghc.haskell.org/trac/ghc/ticket/703 [3] using "execstack -c"
participants (2)
-
Edward Z. Yang -
Jens Petersen