pageexec@freemail.hu wrote:
> On 21 Dec 2009 at 9:38, basile wrote:
>
>   
>> Tobias Klein from trapkit.de was kind enough to allow us to bundle his
>> checksec.sh script which tests system binaries or running processes for
>> relro, ssp, nx, pie and aslr.  Every binary shows these hardening
>> features enabled except X and evolution which have only partial relro. 
>> A comparison of a running Tin Hat system and a running Ubuntu system can
>> be see at
>>
>>     http://opensource.dyc.edu/sites/default/files/karmic-checksec.txt
>>     http://opensource.dyc.edu/sites/default/files/tinhat-checksec.txt
>>     
>
> what are the causes for the partial RELRO results?
>   
Because of some circular dependencies in its libraries, evolution has to
be linked with -z,lazy.  If you use -z,now, the resulting binaries don't
work.  Its a known problem which upstream promises will be fixed in
evolution-3.x

I don't know the story why X fails with -z,now, but Magnus (aka Zorry)
told me of a patch on one of the overlays which fixes this.  I will test.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197