Closed
Description
I noticed that for the Debian python image (but this might apply to Alpine as well) that certain (almost all) hardening options are missing.
In Debian build flags for packages are determined by the dpkg-buildflags commands, and their Python package also uses these flags.
$ dpkg-buildflags
CFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security
CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security
DFLAGS=-frelease
FCFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong
FFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong
GCJFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong
LDFLAGS=-Wl,-z,relro
OBJCFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security
OBJCXXFLAGS=-g -O2 -ffile-prefix-map=/app=. -fstack-protector-strong -Wformat -Werror=format-security
Of which I believe -D_FORTIFY_SOURCE=2, -fstack-protector-strong, -Wl,-z,relro and -Wformat -Werror=format-security are hardening options.
You can find more information here
https://wiki.debian.org/Hardening
I verified they are missing python in the docker image in two ways:
By looking at the CFLAGS which are stored in the python executable.
$ docker run --rm -it --entrypoint bash python:3.11-bullseye
root@c02b9c94c3bc:/# /usr/local/bin/python3 -m sysconfig|grep stack-protector
root@c02b9c94c3bc:/#
And by running the hardening-check script.
$ apt-get install devscripts
$ hardening-check /usr/local/bin/python3
/usr/local/bin/python3:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: no, not found!
Metadata
Metadata
Assignees
Labels
No labels