1 |
On Thu, 2005-10-06 at 10:16 -0400, Richard Freeman wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> Olivier Crête wrote: |
6 |
> > On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote: |
7 |
> >>Do we have stack-smashing protection, and can this actually help against |
8 |
> >>return to libc attacks? Judging from the gcc USE flags, it seems to be |
9 |
> >>there at least -- is it also activated automatically? |
10 |
> > |
11 |
> > What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc, |
12 |
> > etc) with the security oriented stuff. And also a security oriented |
13 |
> > kernel (hardened-sources) that includes stuff like address space |
14 |
> > randomization, stronger chroot, etc .. |
15 |
> > |
16 |
> |
17 |
> Too bad the latest firefox upgrade filters out -fstack-protector... |
18 |
> |
19 |
> I don't run hardened per-se, but I do use stack-smashing protection. |
20 |
> I'm not sure why it isn't a default-supported config on gentoo. A fair |
21 |
> number of ebuilds don't work with it. We also used to have the |
22 |
> grsecurity patches in gentoo-sources, but I don't think this is the case |
23 |
> anymore. |
24 |
> |
25 |
> It seems odd that these aren't standard gentoo features. That would |
26 |
> probably give them more widespread support rather than devs just looking |
27 |
> at you funny when you mention having something other than -O2 in your |
28 |
> CFLAGS. Other than for debugging is there any reason not to have |
29 |
> stack-smashing protection and address-space randomization? |
30 |
|
31 |
The big reason would be because gcc 3.3.x (the stable compiler on x86) |
32 |
doesn't support it. It has a patch that adds the option to gcc, but it |
33 |
does nothing. Until x86 is on 3.4.x by default, you can't expect full |
34 |
support for stack-protector. |
35 |
|
36 |
Daniel |
37 |
|
38 |
-- |
39 |
gentoo-amd64@g.o mailing list |