Compiling browser

[Mike Hommey]

On Fri, Mar 25, 2011 at 04:08:28PM +0100, Peter Smith wrote:
> This is proberly the I want to compile Firefox 3.6 on Debian Squeeze
> and place everything in the /opt directory. I want the compiled
> browser to have some security modifications. The first thing i have
> added to mozconfig is the following three lines:
> 
> export CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all"
> export CXXFLAGS="${CFLAGS}"
> export CPPFLAGS="${CFLAGS}
> 
> This makes hardening-check on firefox-bin output the following:
> 
> Position Independent Executable: no, normal executable!
> Stack protected: yes
> Fortify Source functions: yes
> Read-only relocations: no, not found!
> Immediate binding: no, not found!
> 
> I don't know what flags should be passed to gcc for activating
> "Position Independent Executable", "Read-only relocations" and
> "Immediate binding" or if it is a good idea at all? Is it enough to
> activate the options i have to make the browser more secure?

I guess you want to take a look at http://wiki.debian.org/Hardening

> I have to choose between using the system libraries for nspr, nss,
> jpeg, zlib, bz2 and png like this:
> 
> ac_add_options --with-system-nspr
> ac_add_options --with-system-nss
> ac_add_options --with-system-jpeg
> ac_add_options --with-system-zlib
> ac_add_options --with-system-bz2
> ac_add_options --with-system-png
> 
> or using the code shipped with Firefox for the same functionality. So
> far i have not been able to build Firefox without using system nspr
> and nss, the Mozilla version of these will not compile on Debian. What
> is most secure, using  the system libraries or the Mozilla libraries?

They are the same.

Mike