Gentoo Archives: gentoo-amd64

From: Daniel Gryniewicz <dang@g.o>
To: gentoo-amd64@l.g.o
Subject: Re: [gentoo-amd64] Questions about No Execute and security
Date: Thu, 06 Oct 2005 14:37:15
Message-Id: 1128609354.10528.1.camel@localhost
In Reply to: Re: [gentoo-amd64] Questions about No Execute and security by Richard Freeman
1 On Thu, 2005-10-06 at 10:16 -0400, Richard Freeman wrote:
2 > -----BEGIN PGP SIGNED MESSAGE-----
3 > Hash: SHA1
4 >
5 > Olivier Crête wrote:
6 > > On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote:
7 > >>Do we have stack-smashing protection, and can this actually help against
8 > >>return to libc attacks? Judging from the gcc USE flags, it seems to be
9 > >>there at least -- is it also activated automatically?
10 > >
11 > > What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc,
12 > > etc) with the security oriented stuff. And also a security oriented
13 > > kernel (hardened-sources) that includes stuff like address space
14 > > randomization, stronger chroot, etc ..
15 > >
16 >
17 > Too bad the latest firefox upgrade filters out -fstack-protector...
18 >
19 > I don't run hardened per-se, but I do use stack-smashing protection.
20 > I'm not sure why it isn't a default-supported config on gentoo. A fair
21 > number of ebuilds don't work with it. We also used to have the
22 > grsecurity patches in gentoo-sources, but I don't think this is the case
23 > anymore.
24 >
25 > It seems odd that these aren't standard gentoo features. That would
26 > probably give them more widespread support rather than devs just looking
27 > at you funny when you mention having something other than -O2 in your
28 > CFLAGS. Other than for debugging is there any reason not to have
29 > stack-smashing protection and address-space randomization?
30
31 The big reason would be because gcc 3.3.x (the stable compiler on x86)
32 doesn't support it. It has a patch that adds the option to gcc, but it
33 does nothing. Until x86 is on 3.4.x by default, you can't expect full
34 support for stack-protector.
35
36 Daniel
37
38 --
39 gentoo-amd64@g.o mailing list

Replies

Subject Author
Re: [gentoo-amd64] Questions about No Execute and security Richard Freeman <rich@××××××××××××××.net>