A non-executable stack prevents certain classes of security vulnerabilities.
-Wl,-z,noexecstack is set when building a binary but not when building a shared library (node_shared=="true", corresponding to ./configure --shared.)
Since the execstack bit is transitive, any binary linking to a shared library with an executable stack also ends up with an executable stack.
The practical impact is probably low because noexecstack is the default on many systems but it would be good to:
-
Be explicit for consistency across platforms and toolchains, and
-
Have a test that checks noexecstack is set on the build product. It could check the output of execstack -q filename but that might be Linux-only.
A non-executable stack prevents certain classes of security vulnerabilities.
-Wl,-z,noexecstackis set when building a binary but not when building a shared library (node_shared=="true", corresponding to./configure --shared.)Since the execstack bit is transitive, any binary linking to a shared library with an executable stack also ends up with an executable stack.
The practical impact is probably low because
noexecstackis the default on many systems but it would be good to:Be explicit for consistency across platforms and toolchains, and
Have a test that checks
noexecstackis set on the build product. It could check the output ofexecstack -q filenamebut that might be Linux-only.