Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


mosh hardening flags conflict with Ubuntu Precise hardening flags #203

keithw opened this Issue · 3 comments

2 participants


mosh (current git master) didn't build on the Ubuntu precise PPA builder, because Ubuntu's hardening flags work poorly with our hardening flags. It built fine on the other Ubuntu releases.

g++ -DHAVE_CONFIG_H -I. -I../..  -I./../util  -D_FORTIFY_SOURCE=2 -Wall -Werror -Wextra -pedantic -Wno-long-long -Weffc++ -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1 -fPIE -fno-default-inline -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -c -o terminaldispatcher.o In member function 'void Terminal::Dispatcher::dispatch(Terminal::Function_Type, const Parser::Action*, Terminal::Framebuffer*)': error: stack protector not protecting function: all local arrays are less than 4 bytes long [-Werror=stack-protector]
cc1plus: all warnings being treated as errors
make[4]: *** [terminaldispatcher.o] Error 1


In particular, we set

-Werror -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1

and then Ubuntu sets

-fstack-protector --param=ssp-buffer-size=4

overriding our value for "minimum size of buffer to protect". So any function with less than 4 bytes of buffer triggers -Wstack-protector, which errors out due to -Werror.

Is there some way to tell the Ubuntu build process that we'll do hardening ourselves? I'd rather disable Ubuntu's flags than ours, since our protections are a superset of theirs. In particular we build PIEs, which Ubuntu does for openssh (it was the first package added!) but not in general.

(By the way, I'm very glad that Ubuntu sets these flags for the vast majority of packages that do no hardening by default.)


I'm afraid the pull request doesn't seem to have suppressed the Ubuntu `-fstack-protector --param=ssp-buffer-size=4 flag:


Seems to be fixed as of 87f6396. We have successful build logs for Precise i386 and amd64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.