Gentoo Wiki


This article is part of the Security series.



This doesn't work with recent gentoo hardened systems. See discussion and bugs


Having problems debugging executables with hardened gcc and USE="hardened" turned on? This guide will run through how to debug programs that are proving difficult.

Set Your Flags

Add to your LDFLAGS LDFLAGS="-ggdb", assuming you are using gdb. (aren't we all, though? :-) )

Disable PaX

Turn off all PaX flags on the program with chpax or paxctl.

chpax/paxctl -prmsx /the/executable/you/want

Change your GCC specs

Before compiling, set the GCC_SPECS environment variable like this:

export GCC_SPECS='/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/vanilla.specs'

The exact path may vary on your system, depending on your architecture and your GCC version. This will disable all hardened/pie/pic features of gcc.

If your project uses a Makefile, put this line at the top of it:

export GCC_SPECS := /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/vanilla.specs

The part about GCC_SPECS= is strange advice and should be using gcc-config but no matter this method would work anyway. (03/23/06 -solar)

gcc-config only works if you are root. exporting GCC_SPECS works for any user to enable backtrace. the version number should be changed to match the installed version of gcc. (11/14/06)

and rebuild entirely (make clean && make).


If you're debugging an existing ET_DYN executable then try running gdb /lib/, then run /the/executable/you/want from within gdb.


If that doesn't work, try compiling with CFLAGS="-nopie". You will lose the ability to have some PaX protections. Remember that shared objects/modules must be compiled with -fPIC.

Real life example

CFLAGS="-g3 -fno-pie -fno-stack-protector-all -nonow -norelro" \
LDFLAGS="-ggdb" FEATURES="nostrip keepwork keeptemp" \
emerge buggyapp

Hope This Helps! Thank solar of hardened-gentoo for this tip I am redistributing.

Retrieved from ""

Last modified: Mon, 04 Aug 2008 08:52:00 +0000 Hits: 12,923