Univention Bugzilla – Bug 57057
Python 3.x executables are built without PIE
Last modified: 2024-02-15 13:05:12 CET
BSI IT-Grundschutz, chapter SYS.1.3.A4, roughly translates to the following requirement: > The operating system needs to have ASLR, DEP, NX activated, and applications need to make use of it. This is a part of protection level "B", basic, and applies to all IT Grundschutz checks. This requires the operator to have an appropriate Kernel installed (which should be the default nowadays; and in the case of nubus it is not our responsibility anyway). On Linux this also requires executables to be compiled with the `-fPIE` flag, yielding position-independent executables. It is my understanding that those are needed to benefit from Address Space Layout Randomization, but are more performant way of obtaining hardened executables than building everything with `-fPIC`. It can be checked on Debian, UCS 5.0 and UCS 5.2 that PIE is not active: # file /usr/bin/python3.11 /usr/bin/python3.11: ELF 64-bit LSB executable, ... In comparison, the result on Arch/Fedora/Ubuntu: ❯ file /usr/bin/python3.11 /usr/bin/python3.11: ELF 64-bit LSB pie executable, ... Another way to verify is on Debian: apt install descripts; hardening-check /usr/bin/python3.11 > Position Independent Executable: no, normal executable! It appears that Debian builds some executables (e.g. apt) with PIE, but not Python, OpenLDAP, PostgreSQL, nginx. Scope: From the context of nubus, which is supposed to be BSI IT-Grundschutz compliant: We run Python almost everywhere, covering this is very important. We ship our own LDAP server, therefore covering this is important, too. We currently ship nginx, because we need to ensure certain configuration in the server which cannot expressed in a product-agnostic way in K8s (yet). Nginx is installed from Debian sources so this would also have to be covered. We require the operator to provide a production-grade PostgreSQL, thus we can live with the status quo. References: - PIE: https://en.wikipedia.org/wiki/Position-independent_code#PIE - Upstream discussion: https://wiki.debian.org/Hardening/PIEByDefaultTransition - Earlier Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/ 1452115 - Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134
(In reply to Thomas Kintscher from comment #0) > It can be checked on Debian, UCS 5.0 and UCS 5.2 that PIE is not active: PIE should be enabled by default with Debian 12 Bookworm AKA UCS 5.2: https://wiki.debian.org/Hardening UCS 5.0 is based on Debian 10 Buster, which is too old and will not change. Python ====== ```console # hardening-check /usr/bin/python3.7 # 5.0 Position Independent Executable: no, normal executable! # hardening-check /usr/bin/python3.11 # 5.2 Position Independent Executable: no, normal executable! ``` PIE (for Python) should be enabled since Python 3.10: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134, but got disabled again; see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134 OpenLDAP ======== ```console # hardening-check /usr/sbin/slapd # 5.0 | 5.2 Position Independent Executable: yes ``` PostgreSQL ========== ```console # hardening-check /usr/lib/postgresql/11/bin/postmaster # 5.0 Position Independent Executable: yes # hardening-check /usr/lib/postgresql/15/bin/postmaster # 5.2 Position Independent Executable: yes ``` nginx ===== ```console # hardening-check /usr/sbin/nginx # 5.0 | 5.2 Position Independent Executable: yes ```
(In reply to Philipp Hahn from comment #1) > Python > ====== … > PIE (for Python) should be enabled since Python 3.10: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134, but got disabled > again; see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134 Wrong (duplicated) link, correct one is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031743