Build binaries in this package as RELRO PIEs and install shared libraries with
the execute bit set on them.  Prune out the -L/usr/lib*, PIE flags, and CFLAGS
where they might leak out and affect apps which just want to link with the
libraries. FIXME: needs to check and not just assume that the compiler supports
using these flags.

diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf
--- krb5-1.7/src/config/shlib.conf	2008-12-08 17:33:07.000000000 -0500
+++ krb5-1.7/src/config/shlib.conf	2009-06-04 14:01:28.000000000 -0400
@@ -421,6 +421,8 @@ mips-*-netbsd*)
 	RPATH_FLAG='-Wl,-rpath -Wl,'
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro,-z,now $(LDFLAGS)'
+	INSTALL_SHLIB='${INSTALL} -m755'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
--- krb5-1.7/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
+++ krb5-1.7/src/krb5-config.in	2009-06-04 14:01:28.000000000 -0400
@@ -187,8 +187,14 @@ if test -n "$do_libs"; then
 	    -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \
 	    -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-	    -e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+	    -e 's#\$(CFLAGS)##'`
 
+    if test `dirname $libdir` = /usr ; then
+        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+    fi
+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro,-z,now##"`
+
     if test $library = 'kdb'; then
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
 	library=krb5