diff options
| author | fanquake <fanquake@gmail.com> | 2023-05-20 11:29:05 +0100 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2023-05-20 11:29:12 +0100 |
| commit | 17acb2782a66f033238340e4fb81009e7f79e97a (patch) | |
| tree | aa7d715ba49b97b64c4d284d48c84a5e136a9b9b /doc | |
| parent | 0f8c95dccd120ad5fd371f81025137b855796f13 (diff) | |
| parent | 4bfcbbfd4a9749f7954e37a7447b5f047465bdf8 (diff) | |
| download | bitcoin-17acb2782a66f033238340e4fb81009e7f79e97a.tar.xz | |
Merge bitcoin/bitcoin#27688: doc: remove Security section from build-unix.md
4bfcbbfd4a9749f7954e37a7447b5f047465bdf8 doc: remove Security section from build-unix.md (fanquake)
Pull request description:
Our compile documentation isn't the right place for generic binary hardening notes, which are neither particularly Bitcoin-Core specific, or as relevant as they might have once been, i.e non-executable stacks are now just the norm.
Just remove the notes for now, if someone has something more interesting/Bitcoin Core specific, it could be added in separate documentation in the future (maybe into the devwiki or similar).
Split from https://github.com/bitcoin/bitcoin/pull/27685#discussion_r1196517868.
ACKs for top commit:
jarolrod:
ACK 4bfcbbfd4a9749f7954e37a7447b5f047465bdf8
Tree-SHA512: 01b523ba40353d6cafb5dbd6540b514d83a2dc4e462a068fb390ca7de45b78e4a329367f70527f1824006ebe43f8caeea4ad05ec60556d5a5bd0143e27bf6581
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/build-unix.md | 46 |
1 files changed, 0 insertions, 46 deletions
diff --git a/doc/build-unix.md b/doc/build-unix.md index 0c761d9043..3633d4f811 100644 --- a/doc/build-unix.md +++ b/doc/build-unix.md @@ -184,52 +184,6 @@ export BDB_PREFIX="/path/to/bitcoin/depends/x86_64-pc-linux-gnu" **Note**: You only need Berkeley DB if the legacy wallet is enabled (see [*Disable-wallet mode*](#disable-wallet-mode)). -Security --------- -To help make your Bitcoin Core installation more secure by making certain attacks impossible to -exploit even if a vulnerability is found, binaries are hardened by default. -This can be disabled with: - -Hardening Flags: - - ./configure --enable-hardening - ./configure --disable-hardening - - -Hardening enables the following features: -* _Position Independent Executable_: Build position independent code to take advantage of Address Space Layout Randomization - offered by some kernels. Attackers who can cause execution of code at an arbitrary memory - location are thwarted if they don't know where anything useful is located. - The stack and heap are randomly located by default, but this allows the code section to be - randomly located as well. - - On an AMD64 processor where a library was not compiled with -fPIC, this will cause an error - such as: "relocation R_X86_64_32 against `......' can not be used when making a shared object;" - - To test that you have built PIE executable, install scanelf, part of paxutils, and use: - - scanelf -e ./bitcoin - - The output should contain: - - TYPE - ET_DYN - -* _Non-executable Stack_: If the stack is executable then trivial stack-based buffer overflow exploits are possible if - vulnerable buffers are found. By default, Bitcoin Core should be built with a non-executable stack, - but if one of the libraries it uses asks for an executable stack or someone makes a mistake - and uses a compiler extension which requires an executable stack, it will silently build an - executable without the non-executable stack protection. - - To verify that the stack is non-executable after compiling use: - `scanelf -e ./bitcoin` - - The output should contain: - STK/REL/PTL - RW- R-- RW- - - The STK RW- means that the stack is readable and writeable but not executable. - Disable-wallet mode -------------------- When the intention is to only run a P2P node, without a wallet, Bitcoin Core can |