Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. User
Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now")
tero at vuosaari
Oct 9, 2004, 6:10 AM
Post #1 of 13 (1009 views)
Permalink
On Thu, 23 Sep 2004, Gael wrote:

> I recently read something about that. It was something about a
> potential security issue with LD_DEBUG
> and suid binaries, but I don't remember what.
> Try putting LDFLAGS="-Wl,-z,now" in your make.conf, it may solve the
> problem.

I've also read that LDFLAGS="-Wl,-O1" in make.conf would decrease
application startup time even more than prelinking.

You can read about it here:
http://forums.gentoo.org/viewtopic.php?t=226909&postdays=0&postorder=asc

Does anybody on this list have any experience about this? Is this
safe/effective?

--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
mike at gaima
Oct 9, 2004, 6:27 AM
Post #2 of 13 (969 views)
Permalink
On Saturday 09 October 2004 14:10, Tero Grundström wrote:
> I've also read that LDFLAGS="-Wl,-O1" in make.conf would decrease
> application startup time even more than prelinking.
>
> You can read about it here:
> http://forums.gentoo.org/viewtopic.php?t=226909&postdays=0&postorder=asc
>
> Does anybody on this list have any experience about this? Is this
> safe/effective?

http://bugs.gentoo.org/show_bug.cgi?id=65002

I've re-compiled firefox with, and without it.
Took less than 1 minute longer to emerge with, but it starting is *lightening
fast*. Even on a P4 2.4 (non-HT), with a gig of ram the difference is
extreme.

Have done kdelibs, base, and pim, but not re-started KDE to see the
difference.

--
Mike Williams
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
tero at vuosaari
Oct 9, 2004, 9:17 AM
Post #3 of 13 (982 views)
Permalink
On Sat, 9 Oct 2004, Mike Williams wrote:

> On Saturday 09 October 2004 14:10, Tero Grundström wrote:
> > I've also read that LDFLAGS="-Wl,-O1" in make.conf would decrease
> > application startup time even more than prelinking.
> >
> > You can read about it here:
> > http://forums.gentoo.org/viewtopic.php?t=226909&postdays=0&postorder=asc
> >
> > Does anybody on this list have any experience about this? Is this
> > safe/effective?
>
> http://bugs.gentoo.org/show_bug.cgi?id=65002
>
> I've re-compiled firefox with, and without it.
> Took less than 1 minute longer to emerge with, but it starting is *lightening
> fast*. Even on a P4 2.4 (non-HT), with a gig of ram the difference is
> extreme.

Hmm... this is very interesting. How about compiling everything with
LDFLAGS="-Wl,-O1,-z,now"? Would this result in a faster and more secure
system?

Afaik, the only negative comment recarding LDFLAGS is from Ciaran (in the
forum topic), but then again, he seems to be against any optimization that
goes beoynd CFLAGS="-march=... -O2 (-fomit-frame-pointer)"...

--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
spider at gentoo
Oct 10, 2004, 7:08 AM
Post #4 of 13 (977 views)
Permalink
begin quote
On Sat, 9 Oct 2004 19:17:25 +0300 (EEST)

> Hmm... this is very interesting. How about compiling everything with
> LDFLAGS="-Wl,-O1,-z,now"? Would this result in a faster and more
> secure system?


This would result in a slower and not very more secure system.


You do not want to do immediate resolution of symbols for all software,
only where its actually dangerous not to do so. (suid bits)


man ld for more details

//Spider

--
begin .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
tero at vuosaari
Oct 10, 2004, 9:57 AM
Post #5 of 13 (980 views)
Permalink
On Sun, 10 Oct 2004, Spider wrote:

> begin quote
> On Sat, 9 Oct 2004 19:17:25 +0300 (EEST)
>
> > Hmm... this is very interesting. How about compiling everything with
> > LDFLAGS="-Wl,-O1,-z,now"? Would this result in a faster and more
> > secure system?
>
>
> This would result in a slower and not very more secure system.
>
>
> You do not want to do immediate resolution of symbols for all software,
> only where its actually dangerous not to do so. (suid bits)

Ok, Thanks.

I still don't understand:

1. Why are the security related LDFLAGS="-Wl,-z,now" missing for
programs like shadow, sudo etc.?

2. Why gentoo isn't taking advantage of optimized ldflags by default?
These ldflags could be set by ebuilds of large programs like Mozilla, for
example.

I'd also love to know if it would be appropriate or even secure to
compile everything with LDFLAGS="-Wl,-O1".

--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
mike at gaima
Oct 10, 2004, 10:10 AM
Post #6 of 13 (987 views)
Permalink
On Sunday 10 October 2004 17:57, Tero Grundström wrote:
> I still don't understand:
>
> 1. Why are the security related LDFLAGS="-Wl,-z,now" missing for
> programs like shadow, sudo etc.?
>
> 2. Why gentoo isn't taking advantage of optimized ldflags by default?
> These ldflags could be set by ebuilds of large programs like Mozilla, for
> example.
>
> I'd also love to know if it would be appropriate or even secure to
> compile everything with LDFLAGS="-Wl,-O1".

You kinda answer both your questions yourself there :)
Will it do any good? Will it break stuff?

I've experienced one weird bit of behaviour since recompiling some stuff with
LDFLAGS="-Wl,-O1". Waiting to see if it re-occurs before reporting.

--
Mike Williams
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
tero at vuosaari
Oct 10, 2004, 10:23 AM
Post #7 of 13 (1015 views)
Permalink
On Sun, 10 Oct 2004, Mike Williams wrote:

> On Sunday 10 October 2004 17:57, Tero Grundström wrote:
> > I still don't understand:
> >
> > 1. Why are the security related LDFLAGS="-Wl,-z,now" missing for
> > programs like shadow, sudo etc.?
> >
> > 2. Why gentoo isn't taking advantage of optimized ldflags by default?
> > These ldflags could be set by ebuilds of large programs like Mozilla, for
> > example.
> >
> > I'd also love to know if it would be appropriate or even secure to
> > compile everything with LDFLAGS="-Wl,-O1".
>
> You kinda answer both your questions yourself there :)

No, I don't actually. The questions 1 & 2 are for "developer controlled"
usage of ldflags in Gentoo whereas the last question was about just
putting ldflags in make.conf without any developer assistance *and*
compiling everything like that.

Afaik a distro called Ubuntu has already alot of packages compiled with
optimized ldflags. Is Gentoo being left behind in innovation?

--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
spider at gentoo
Oct 10, 2004, 7:02 PM
Post #8 of 13 (983 views)
Permalink
begin quote
On Sun, 10 Oct 2004 19:57:24 +0300 (EEST)

>
> 1. Why are the security related LDFLAGS="-Wl,-z,now" missing for
> programs like shadow, sudo etc.?


Its a fairly new issue for the system to actually check for it, it
reappeared due to a bug-related discussion about glibc and LD_DEBUG
flags. the LDFLAGS change for those packages is a precaution.


>
> 2. Why gentoo isn't taking advantage of optimized ldflags by default?
> These ldflags could be set by ebuilds of large programs like Mozilla,
> for example.

oh, I've had my system running with it for quite a while. The same
reason we dont do more than -O2 -march=i686 per default. :-)

Right though, it should probably be documented for make.conf
( file a bug ;P)

//Spider


--
begin .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
tero at vuosaari
Oct 10, 2004, 7:43 PM
Post #9 of 13 (972 views)
Permalink
On Mon, 11 Oct 2004, Spider wrote:

> oh, I've had my system running with it for quite a while.

And no problems? Do you know if there is any security issues with LDFLAGS
when used globally?

> Right though, it should probably be documented for make.conf
> ( file a bug ;P)
There is already one :)

Thanks for your answer.
--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? [ In reply to ]
T.Six at gmx
Oct 10, 2004, 8:24 PM
Post #10 of 13 (971 views)
Permalink
speaking up LDFLAGS. I found this right now on the forums:

LDFLAGS Central:
http://forums.gentoo.org/viewtopic.php?t=67777

It´s written from taviso. Thought you would be interested.


bye Thilo


--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
spider at gentoo
Oct 11, 2004, 5:36 AM
Post #11 of 13 (974 views)
Permalink
begin quote
On Mon, 11 Oct 2004 05:43:51 +0300 (EEST)

>
>
> > oh, I've had my system running with it for quite a while.
>
> And no problems?
none that I can see. Can't really say I've noticed a "whoo-whapp"
increase in speed either though.



> Do you know if there is any security issues with
> LDFLAGS when used globally?

Securityissues? None that I know of. The problems with regards to
preloading and debug are common, and its part of the idea not to run
suid apps against preloaded libraries.


//Spider


--
begin .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
tero at vuosaari
Oct 11, 2004, 7:01 AM
Post #12 of 13 (980 views)
Permalink
On Mon, 11 Oct 2004, Spider wrote:

> > > oh, I've had my system running with it for quite a while.
> >
> > And no problems?
> none that I can see. Can't really say I've noticed a "whoo-whapp"
> increase in speed either though.

Out of curiosity, what are your ldflags?

How about using
LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -Wl,-s"

or better to stick just with
LDFLAGS="-Wl,-O1" ?

--
T.G.

--
gentoo-user@gentoo.org mailing list
Re: Better performance and security by setting LDFLAGS? (was: "append-ldflags -Wl,-z,now") [ In reply to ]
spider at gentoo
Oct 11, 2004, 7:17 AM
Post #13 of 13 (978 views)
Permalink
begin quote
On Mon, 11 Oct 2004 17:01:28 +0300 (EEST)

> On Mon, 11 Oct 2004, Spider wrote:
>
> > > > oh, I've had my system running with it for quite a while.
> > >
> > > And no problems?
> > none that I can see. Can't really say I've noticed a "whoo-whapp"
> > increase in speed either though.
>
> Out of curiosity, what are your ldflags?
>
> How about using
> LDFLAGS="-Wl,-O1 -Wl,--enable-new-dtags -Wl,--sort-common -Wl,-s"


-s just does a "strip-all" , not sure if thats better than using the
"strip" command as portage does unless you set FEATURES="nostrip"
Except that it adds a second level of problems and will break
USE="debug" and make all your stacktraces useless ;)

--enable-new-dtags
should be safe, if you don't care about portability. Most Gentoo
users don't.
I think sort-common is on per default, look in the binutils source for
that . (fex. combreloc is another huge optimization, but that ought to
be on by default ...)



> or better to stick just with
> LDFLAGS="-Wl,-O1" ?
^<- what I use

//Spider

--
begin .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal