1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
It may be prudent to use extra protection on certain ebuilds in standard |
5 |
Gentoo profiles where the changes would be significant in the case of a |
6 |
security fault in the program. Such programs as daemons and chmod()+s |
7 |
programs would be major targets for this sort of thing. |
8 |
|
9 |
The most immediately apparent route to take would be to have ebuilds |
10 |
such as openssh, apache, and su stack smash protected. This would |
11 |
prevent common buffer overflow attacks from being used to compromise |
12 |
security; such attacks would only cause the program attacked to abort, |
13 |
which could still be used as a Denial of Service attack, but would not |
14 |
allow successful intrusion. |
15 |
|
16 |
Gentoo ships gcc with stack smash protection built in. This is |
17 |
activated by -fstack-protector or -fstack-protector-all. It would be |
18 |
feasible to add one of these flags to an ebuild based on a FEATURES or |
19 |
USE setting. |
20 |
|
21 |
I believe it would be a good idea to have such a FEATURES or USE flag on |
22 |
by default in all profiles where SSP is supported. In this manner, the |
23 |
major targets of security attacks would automatically be protected; |
24 |
while still allowing the user to disable the protection if the user |
25 |
desires. Users wanting more protection can simply add -fstack-protector |
26 |
to CFLAGS, or use Hardened Gentoo. |
27 |
|
28 |
Any comments? Would this be more suitable as a USE or a FEATURES setting? |
29 |
|
30 |
- -- |
31 |
All content of all messages exchanged herein are left in the |
32 |
Public Domain, unless otherwise explicitly stated. |
33 |
|
34 |
-----BEGIN PGP SIGNATURE----- |
35 |
Version: GnuPG v1.2.6 (GNU/Linux) |
36 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
37 |
|
38 |
iD8DBQFBUaBOhDd4aOud5P8RAv/sAKCGx+cy5D3U35jDvGEFV5fcInF2fwCfbvGM |
39 |
QvF8iaV8fuNFVQcintwy+2o= |
40 |
=4Gdc |
41 |
-----END PGP SIGNATURE----- |
42 |
|
43 |
-- |
44 |
gentoo-security@g.o mailing list |