fix for bug #5210: enable GCC and LD hardening by default

2 files changed, 10 insertions, 4 deletions

diff --git a/changes/bug5210 b/changes/bug5210
new file mode 100644
index 0000000000..b07e7f1f23
--- /dev/null
+++ b/changes/bug5210
@@ -0,0 +1,2 @@
+  o Security fixes:
+    - Enable gcc and ld hardening by default. Fixes bug 5210.
diff --git a/configure.in b/configure.in
index 7415ce8312..4a3ed0e6c3 100644
--- a/configure.in
+++ b/configure.in
@@ -122,19 +122,23 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
 dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
 dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
 AC_ARG_ENABLE(gcc-hardening,
-     AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
+    AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks),
+    [],
+    [enableval=yes;])
 [if test x$enableval = xyes; then
     CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
     CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
     CFLAGS="$CFLAGS --param ssp-buffer-size=1"
     LDFLAGS="$LDFLAGS -pie"
-fi])
+fi]
 
 dnl Linker hardening options
 dnl Currently these options are ELF specific - you can't use this with MacOSX
 AC_ARG_ENABLE(linker-hardening,
-        AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
-[if test x$enableval = xyes; then
+    AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups),
+    [],
+    [enableval=yes;])
+AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then
     LDFLAGS="$LDFLAGS -z relro -z now"
 fi])