Arthur Hagen <art@broomstick.com> wrote:
> On Thu, 2007-08-16 at 11:43 +0000, Martin Vaeth wrote:
>> -Wl,--relax and -Wl,-z,now.
>> In particlar, I recommend the latter for security reasons. (Unfortunately,
>> xorg itself has problems with this option).
>
> I strongly recommend *against* ever using "-Wl,-z,now", because it
> causes libraries that might not even be used to be loaded, increasing
> both startup time and memory usage.

Concerning memory usage, I found no dramatic difference on my system, but
actually startup time of large programs like kde has even slighly
decreased with -Wl,-z,now.
This might be by accident (better placement of libraries on the harddisk)
but perhaps the "later" resolving of symbols has some more overhead
(I suspect that lazy linking might even increase the runtime if a library
function is often called, because the linker has to check first that
it is there? However, I have not analyzed the code or made experiments
whether this is correct.)
Nevertheless, these are minor points IMHO.
I am more concerened about the security issue:
To be honest, I did not understand the reason precisely, but roughly,
I think that the problem is that the code pages are associated
to owners and that you might somehow be able to modify the
library of a lazy-linked program of a different owner.
Perhaps this problem happens only for SUID or GUID programs.
But firstly, there are a lot of such programs on a system, and
secondly, these programs in turn use libraries (I am not sure what
happens if a -Wl,-z,now linked binary uses a library which is linked
without this flag). So I think that with -Wl,-z,now you are usually
on the safer side.

> IMO, the better solution to avoid
> library impersonation is to use -rpath when linking.

I do not understand how this solves the above security issue.
Moreover, if it does, how can you be sure that all packages on your system
use -rpath in the correct manner? (It is practically impossible to
check manually all installation scripts of all installed packages).