1 |
Il giorno lun, 23/01/2012 alle 20.26 +0100, Jason A. Donenfeld ha |
2 |
scritto: |
3 |
> When ASLR is turned on, the .text section of executables compiled with |
4 |
> PIE is given a randomized base address. When ASLR is off or when PIE |
5 |
> is not used, the base address is predictable, so it's easy to find |
6 |
> where to write into. |
7 |
|
8 |
Yup, I know that. I was just making sure that the actual prevention came |
9 |
from ASLR and not PIE by itself. Both because there is at least one |
10 |
sci-math package that cannot build with ASLR (randomize_va_space) turned |
11 |
on, and because it would have disproven my old blog post: |
12 |
|
13 |
http://blog.flameeyes.eu/2009/11/02/the-pie-is-not-exactly-a-lie |
14 |
|
15 |
|
16 |
> Doesn't portage already have a check on SUID executables where it |
17 |
> checks to see if they meet a certain standard and also strips them of |
18 |
> read capabilities? Couldn't we just add a Q&A blurb to this, so that |
19 |
> if any SUID executables are merged that aren't PIE, there's a nice |
20 |
> yellow warning? And then gradually package maintainers would add the |
21 |
> required patches? |
22 |
|
23 |
Stripping a compiled file of read permissions is quick, painless and |
24 |
(mostly) safe from errors. Changing the way it is compiled.. not so |
25 |
much. |
26 |
|
27 |
I'm not saying that it's not a good idea, but if we want to proceed with |
28 |
this, there has to be someone who goes to look at all the packages and |
29 |
corrects them. |
30 |
|
31 |
I've not been running the tinderbox for a while both because I have very |
32 |
little time to _file_ bugs, but more importantly because, being there to |
33 |
file bugs only, without the time to tackle them, the result was a bunch |
34 |
of grumpy devs who either needed to repeat the test on a new version, as |
35 |
the bug became stale, or found me positively annoying as I didn't fix |
36 |
the stuff myself. |
37 |
|
38 |
That said, I could fix up the tinderbox and make it run again, no |
39 |
problem there. I could even try to find the time to look at the logs |
40 |
and/or see if s3fs allows me to publish them for someone to look through |
41 |
them... and definitely identifying all the packages installing suid |
42 |
binaries is easier than looking through all the logs. |
43 |
|
44 |
But I'd rather not do that unless there is enough consensus that we'll |
45 |
be tackling the issue. |
46 |
|
47 |
-- |
48 |
Diego Elio Pettenò <flameeyes@g.o> |
49 |
Gentoo Linux |