Re: [autoconf] Problems Configuring (C Compiler cannot produce executables)

[Russ Allbery]

Jeffrey Walton <address@hidden> writes:

> $ ./configure CFLAGS="-Wall -Wextra -Wconversion -fPIE
> -Wno-unused-parameter -Wformat=2 -Wformat-security
> -fstack-protector-all -Wstrict-overflow -Wl,-pie -Wl,-z,noexecstack
> -Wl,-z,relro -Wl,-z,now"

The thing that jumps out at me as different between what Debian uses for
its normal hardening flags and what you're using is the -Wl,-pie flag in
CFLAGS.  Debian just uses -fPIE in CFLAGS and then adds -fPIE -pie to
LDFLAGS.  I'm not sure if that would make a difference.

You in general want to avoid ever using -Wl if you can help it, since
you're hiding the flag from the compiler by using that.  If the compiler
needed to know that you were linking that way so that it could do other
magic itself, you break that support by using -Wl.

Here's what Debian is using:

CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security
CPPFLAGS=-D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security
FFLAGS=-g -O2
LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now

Also, you should generally not add -Wall -Wextra to the configure flags,
and instead add it after configure completes, since many of the tricks
configure has to use will result in warnings when you turn on all the
compiler warnings, which can confuse configure.

-- 
Russ Allbery (address@hidden)             <http://www.eyrie.org/~eagle/>