Archives
Archives
| From: | "Jason A. Donenfeld" <Jason@×××××.com> | ||
|---|---|---|---|
| To: | "Diego Elio Pettenò" <flameeyes@g.o> | ||
| Cc: | gentoo-dev@l.g.o | ||
| Subject: | [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | ||
| Date: | Mon, 23 Jan 2012 19:40:49 | ||
| Message-Id: | CAHmME9r_7J8+6jLK+Fc36F8XiMny6pmaL7E3n4DfOtoFTrj4pQ@mail.gmail.com | ||
| In Reply to: | [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? by "Diego Elio Pettenò" |
||
| 1 | On Mon, Jan 23, 2012 at 20:37, Diego Elio Pettenò <flameeyes@g.o>wrote: |
| 2 | > |
| 3 | > Stripping a compiled file of read permissions is quick, painless and |
| 4 | > (mostly) safe from errors. Changing the way it is compiled.. not so |
| 5 | > much. |
| 6 | > |
| 7 | > I'm not saying that it's not a good idea, but if we want to proceed with |
| 8 | > this, there has to be someone who goes to look at all the packages and |
| 9 | > corrects them. |
| 10 | > |
| 11 | > |
| 12 | Right. It's a big ordeal. I'm *not* suggesting, however, that we |
| 13 | automatically inject a CFLAG or something awful like that. |
| 14 | |
| 15 | What I propose is just to *detect* at merge-time whether or not there are |
| 16 | SUID binaries that are not PIE, and if so, spit out a Q&A warning. |
| 17 | |
| 18 | That way, package maintainers could fix things up bit by bit, without |
| 19 | having to burden you alone with tinderbox troubles. |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | Mike Gilbert <floppym@g.o> |
| [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | "Diego Elio Pettenò" <flameeyes@g.o> |
| Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | Markos Chandras <hwoarang@g.o> |