tjh.dev / nixpkgs
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom

checksec: use binutils instead of elfutils

readelf which makes most of checks should come from binutils package instead of elfutils

E.g. the PIE check from checksec, different readelf gives different result:
(elfutils)
$ /nix/store/rgrji20513g19ci0sa6jydm86gpf4j42-elfutils-0.158/bin/readelf -d /nix/store/q1sbn93v4k3166s091s9biygv9srv8qa-nginx-1.6.2/bin/nginx
2>/dev/null |grep -q '(DEBUG)' ; echo $?
1

(binutils)
$ /nix/store/b8qhjrwf8sf9ggkjxqqav7f1m6w83bh0-binutils-2.23.1/bin/readelf -d /nix/store/q1sbn93v4k3166s091s9biygv9srv8qa-nginx-1.6.2/bin/nginx
2>/dev/null | grep -q '(DEBUG)' ; echo $?
0

Andrey Arapov 96063873 8300898f

+6 -4
+6 -4
pkgs/os-specific/linux/checksec/default.nix
··· 1 - { stdenv, fetchurl, file, findutils, elfutils, glibc }: 1 + { stdenv, fetchurl, file, findutils, binutils, glibc, procps, coreutils }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 name = "checksec-${version}"; ··· 25 25 substituteInPlace $out/bin/checksec --replace find ${findutils}/bin/find 26 26 substituteInPlace $out/bin/checksec --replace "file $" "${file}/bin/file $" 27 27 substituteInPlace $out/bin/checksec --replace "xargs file" "xargs ${file}/bin/file" 28 - substituteInPlace $out/bin/checksec --replace " readelf -" " ${elfutils}/bin/readelf -" 29 - substituteInPlace $out/bin/checksec --replace "(readelf -" "(${elfutils}/bin/readelf -" 30 - substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${elfutils}/bin/readelf" 28 + substituteInPlace $out/bin/checksec --replace " readelf -" " ${binutils}/bin/readelf -" 29 + substituteInPlace $out/bin/checksec --replace "(readelf -" "(${binutils}/bin/readelf -" 30 + substituteInPlace $out/bin/checksec --replace "command_exists readelf" "command_exists ${binutils}/bin/readelf" 31 + substituteInPlace $out/bin/checksec --replace "/sbin/sysctl -" "${procps}/sbin/sysctl -" 32 + substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" 31 33 ''; 32 34 33 35 phases = "unpackPhase patchPhase installPhase";