From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,T_SCC_BODY_TEXT_LINE
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 27353 invoked from network); 6 Jun 2023 16:37:24 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 6 Jun 2023 16:37:24 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1686069445;
	 b=ah42muZQe2V1nIGMiLDbyn3KqVKOReB3RVYMF5T7GbpLxzjKjqwG621vXBct6YAG4obeHjMXNm
	  3qLa3+hzDyo1zGKVbRDdJhl7PlS95kqXr2eaZraFeE/XB9IEZF3nl7uqL7UPbZGWEowgDWInxH
	  TYC2SYQ/nTiKCCmw/GiFSggojDTbou2p1d9sVF0FiF5lsAk9MA3xHj+rurE8SZOZ7uIU0+cy5Z
	  gPekqnnh4jUXG7VtKXm0tU215j75bNV85Gh3eNbU3As/NWhV9Il0jnn1+u/DOPucSs7VGCMwTn
	  tm5HsrjBn6EoNnYyOhV78EkKQgRHzhTA31Jfl13JX7BKvQ==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (granite.fifsource.com) smtp.remote-ip=173.255.216.206;
	dmarc=none header.from=fifi.org;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1686069445;
	bh=3fyfDfh8QXI3UEdISx67SfG3koXJQqQ/9g28NHu0BZQ=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:MIME-Version:Content-Transfer-Encoding:Content-Type:
	  References:In-Reply-To:Date:To:From:Subject:Message-ID:DKIM-Signature;
	b=aN3HJC++fq+t+AJw9O/Bof1OaXFU1+BP4YucMXe6eEbj9CBOLxPSP+/IpZAVZSpfDSwS3lakPY
	  FAz1wCHueQ04V+rxpOIDdNlqRbY0+MB1J8Bv23Qmm2EYn/P5T6EcbO+nJfkvxl7+KO9ceTme78
	  3/6XqpqV368IkHOjrqPyLhE8l7QLAoCvnwg2ROtawJJsZDHHL384l07d9OyYqCJYHWo6iRkBq8
	  P0cZZjilXv3pXmR5p4OKgzAdS9J8Pvly2gId5u0yotssEsDntNhQitWRDE4Fa4Nlu56Uj1L1Sq
	  q00Zn/gq/DxS+JZ8HqCHTzZZaBd0PyklScnYOiYzrxJ15A==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:MIME-Version:
	Content-Transfer-Encoding:Content-Type:References:In-Reply-To:Date:To:From:
	Subject:Message-ID:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=7ZfqUW+slNh1eIDUk9nK8nhbms5tPkNlz9CfsCd4/vw=; b=kmDjHr5knsTLkKzcZsSmsytUCb
	NywjuKDOyrjjcOmszyuQvKi+LkucEMoBIeRvLLSmGu53Ba4MbrGw8JChelD9EswSdGK02XeJDRz6H
	qSdVKwkBpuoJ0RhVQQR+1BnB5tAOy8xrDNCT+nFlr3BxKA4TxrM3royjspz12iII7Rc2jhxkgpQF0
	FMtElWei9+ilKXTTrLPAop8N+AapODpeuJHgS86H7Z9V8LGQfRYFynfVNSp9dMfntEjUqzif6qa7z
	LsMusWpgDhgjiHJ/wITjN+mhFrMpvlQX6SRo5/LzRnmTx78oUCDgpo9pacMcPVYF8D3BYcjnn6p99
	k2Ut8iJw==;
Received: by zero.zsh.org with local
	id 1q6ZgS-000LHG-1m;
	Tue, 06 Jun 2023 16:37:24 +0000
Authentication-Results: zsh.org;
	iprev=pass (granite.fifsource.com) smtp.remote-ip=173.255.216.206;
	dmarc=none header.from=fifi.org;
	arc=none
Received: from granite.fifsource.com ([173.255.216.206]:54902)
	by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	id 1q6Zg7-000Kxo-JG;
	Tue, 06 Jun 2023 16:37:06 +0000
Received: from ceramic.fifi.org (107-142-44-66.lightspeed.sntcca.sbcglobal.net [107.142.44.66])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by granite.fifsource.com (Postfix) with ESMTPSA id 056284064
	for <zsh-workers@zsh.org>; Tue,  6 Jun 2023 09:37:02 -0700 (PDT)
Message-ID: <9d6e40041e3786987f54adf1080d201085b08625.camel@fifi.org>
Subject: Re: [Bug] modules zsh/tcp, zsh/zftp unloadable, probably affecting
 most modern Linuxes
From: Philippe Troin <phil@fifi.org>
To: zsh-workers@zsh.org
Date: Tue, 06 Jun 2023 09:37:01 -0700
In-Reply-To: <890683328.5067391.1686063668614@mail.virginmedia.com>
References: <afe7b7c7-0e47-26be-0d6d-7f7ca5891108@hostalia.de>
	 <a9055641-4eb8-5d8f-229a-b38dbc63f706@hostalia.de>
	 <027f2a491b638e2ffaf7766fe4adf29537c11fdf.camel@fifi.org>
	 <227fe72b-7441-935c-55a7-421945da54b3@hostalia.de>
	 <CAH+w=7b3L+ZQ5P6xnxsJ-gG_Mx74jpn-UkTZt8P3ZYj1xc1bZg@mail.gmail.com>
	 <FF8D1182-CFF2-4831-BFF0-5232258508CC@kba.biglobe.ne.jp>
	 <1604572963.1688389.1686042332603@mail.virginmedia.com>
	 <9B5553E5-9CBD-4E6A-88E4-2ABFA1305552@kba.biglobe.ne.jp>
	 <890683328.5067391.1686063668614@mail.virginmedia.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.4 (3.44.4-3.fc36) 
MIME-Version: 1.0
X-Seq: 51840
Archived-At: <https://zsh.org/workers/51840>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

On Tue, 2023-06-06 at 16:01 +0100, Peter Stephenson wrote:
> > On 06/06/2023 15:38 Jun. T <takimoto-j@kba.biglobe.ne.jp> wrote:
> >=20
> > =C2=A0
> > > 2023/06/06 18:05, Peter Stephenson <p.w.stephenson@ntlworld.com>
> > > wrote:
> > >=20
> > > > On 06/06/2023 07:42 Jun T <takimoto-j@kba.biglobe.ne.jp> wrote:
> > > >=20
> > > > Why '-z now' is used when building binary packages? For
> > > > security?
> > >=20
> > > I think this is just so that failure to find symbols at all will
> > > show up quickly in the build rather than at run time, which would
> > > be a real pain.
> >=20
> > I think '-z now' is to mark (add the flag) zftp.so so that the
> > dynamic linker resolves all the symbols when _loading_ it;
> > the symbols are not resolved when _building_ zftp.so.
>=20
> Yes, it does say it gets applied at the point of dlopen(), so it's
> explicitly counteracting RTLD_LAZY.
>=20
> Is this specific to the Fedora configuration in their own source
> package?  I don't see an obvious sign the standard zsh build itself
> is making this choice.  configure has some system-specific tweaks
> for dynamic loading, but not this.

"-z now" is automatically added to all builds by the hardening
configuration on RedHat/Fedora and possibly derived distributions:

   % ag -- -Wl.*now /usr/lib/rpm/
   /usr/lib/rpm/macros.d/macros.rust
   46:  -Clink-arg=3D-Wl,-z,now
  =20
   /usr/lib/rpm/redhat/macros
   302:%_hardening_ldflags	 -Wl,-z,now %[ "%{toolchain}" =3D=3D "gcc" ? "-s=
pecs=3D/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ]

Phil.