1 |
dammit are we over complicating this? |
2 |
You guys seem to be hung up on silly USE/FEATURE flag names. |
3 |
How about we as Ciaran McCreesh proposed just add it to CFLAGS by |
4 |
default and deploy stages in such a manner. |
5 |
Solves everything for most cases and leave the option up to the user to |
6 |
disable if he/she wants to. |
7 |
|
8 |
On Thu, 2004-09-23 at 23:21, John Richard Moser wrote: |
9 |
> -----BEGIN PGP SIGNED MESSAGE----- |
10 |
> Hash: SHA1 |
11 |
> |
12 |
> I'm probably repeting myself here . . .heh. |
13 |
> |
14 |
> Thierry Carrez wrote: |
15 |
> | Thierry Carrez wrote: |
16 |
> | |
17 |
> | |
18 |
> |>Restricting ssp to daemons and +s programs is not very |
19 |
> |>useful. |
20 |
> | |
21 |
> | |
22 |
> | Clarifying this : |
23 |
> | |
24 |
> | SSP is very useful, and it should be used on all executables on a given |
25 |
> | machine. I don't think we should only use it to protect daemons and SUID |
26 |
> | programs, since a lot of buffer overflows are discovered in client |
27 |
> | software and they are also a way of remotely compromising a machine. If |
28 |
> | you protect only exposed services, attackers will turn to passive |
29 |
> | attacks, like virus images, to always exploit the weakest link. |
30 |
> | |
31 |
> |
32 |
> How about, make.conf default and make.conf.example: |
33 |
> |
34 |
> # |
35 |
> # The "auto-nossp" USE flag will disable -fstack-protector on ebuilds |
36 |
> # that take a significant hit from SSP and aren't a major security |
37 |
> # threat. Ebuilds that break with SSP will have SSP disabled in all |
38 |
> # cases anyway. |
39 |
> #USE="X" |
40 |
> ... |
41 |
> # |
42 |
> # For added security, the -fstack-protector flag can be added to prevent |
43 |
> # buffer overflow based attacks. -fno-stack-protector will disable this |
44 |
> # universally; nothing forces it on. |
45 |
> # |
46 |
> # Decent examples: |
47 |
> #CFLAGS="-march=i686 -O2 -pipe -fstack-protector" |
48 |
> #CFLAGS="-mcpu=pentium4 -O3 -pipe -fstack-protector" |
49 |
> |
50 |
> |
51 |
> This solution may have extra perks. As you said, more than just daemon |
52 |
> software is affected. Rather than tracking it all down, perhaps simply |
53 |
> looking for not-always-great-for-SSP things such as gcc (can you attack |
54 |
> gcc anyway? No really, I want to know) and have a USE flag disable SSP |
55 |
> for them. |
56 |
> |
57 |
> Another reason for this route would be that using -fno-stack-protector |
58 |
> in CFLAGS would be overriden by builds explicitely enabling |
59 |
> - -fstack-protector. Using -fstack-protector in CFLAGS would be overriden |
60 |
> by ebuilds explicitely setting -fno-stack-protector. The logical |
61 |
> consequences of each (i.e. when -fstack would and wouldn't be applied |
62 |
> based on combinations of the user and portage enabling/disabling it) in |
63 |
> my eyes seem better with this approach. |
64 |
> |
65 |
> It all depends on if you want fine control of programs which have SSP, |
66 |
> or fine control of programs which don't have SSP. This solution would |
67 |
> be the latter, and I think it makes more sense than the original |
68 |
> proposal; a wider spread usage of SSP is probably the only way to ensure |
69 |
> the best protection. |
70 |
> |
71 |
> Comments? |
72 |
> |
73 |
> | -K |
74 |
> | |
75 |
> | -- |
76 |
> | gentoo-dev@g.o mailing list |
77 |
> | |
78 |
> | |
79 |
> |
80 |
> - -- |
81 |
> All content of all messages exchanged herein are left in the |
82 |
> Public Domain, unless otherwise explicitly stated. |
83 |
> |
84 |
> -----BEGIN PGP SIGNATURE----- |
85 |
> Version: GnuPG v1.2.6 (GNU/Linux) |
86 |
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
87 |
> |
88 |
> iD8DBQFBU5K8hDd4aOud5P8RAo08AJ4xNx6IkHDjDhQX43sfKNiNJmz10wCfbrM7 |
89 |
> eI5ZweX0wl8uG7l0vH3Z+YI= |
90 |
> =C/8F |
91 |
> -----END PGP SIGNATURE----- |
92 |
> |
93 |
> -- |
94 |
> gentoo-dev@g.o mailing list |
95 |
-- |
96 |
Ned Ludd <solar@g.o> |
97 |
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |