I just built Apache from source, not something I usually do, and noticed that one of the build options was:
--enable-pie
This builds httpd as a Position Independent Executable which as I understand prevents ROP exploits. I would have expected this to be the default build, but normally when you see an "--enable" option in the build process, it means that the option is NOT enabled by default. Is this correct? PIE is not enabled in the default build of Apache2?
