Re: [Bug] modules zsh/tcp, zsh/zftp unloadable, probably affecting most modern Linuxes

[Philippe Troin <phil@xxxxxxxx>]

On Tue, 2023-06-06 at 16:01 +0100, Peter Stephenson wrote:
> > On 06/06/2023 15:38 Jun. T <takimoto-j@xxxxxxxxxxxxxxxxx> wrote:
> > 
> >  
> > > 2023/06/06 18:05, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
> > > wrote:
> > > 
> > > > On 06/06/2023 07:42 Jun T <takimoto-j@xxxxxxxxxxxxxxxxx> wrote:
> > > > 
> > > > Why '-z now' is used when building binary packages? For
> > > > security?
> > > 
> > > I think this is just so that failure to find symbols at all will
> > > show up quickly in the build rather than at run time, which would
> > > be a real pain.
> > 
> > I think '-z now' is to mark (add the flag) zftp.so so that the
> > dynamic linker resolves all the symbols when _loading_ it;
> > the symbols are not resolved when _building_ zftp.so.
> 
> Yes, it does say it gets applied at the point of dlopen(), so it's
> explicitly counteracting RTLD_LAZY.
> 
> Is this specific to the Fedora configuration in their own source
> package?  I don't see an obvious sign the standard zsh build itself
> is making this choice.  configure has some system-specific tweaks
> for dynamic loading, but not this.

"-z now" is automatically added to all builds by the hardening
configuration on RedHat/Fedora and possibly derived distributions:

   % ag -- -Wl.*now /usr/lib/rpm/
   /usr/lib/rpm/macros.d/macros.rust
   46:  -Clink-arg=-Wl,-z,now
   
   /usr/lib/rpm/redhat/macros
   302:%_hardening_ldflags	 -Wl,-z,now %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ]

Phil.