| 1 |
On Thu, 2005-10-06 at 10:16 -0400, Richard Freeman wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> Olivier Crête wrote: |
| 6 |
> > On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote: |
| 7 |
> >>Do we have stack-smashing protection, and can this actually help against |
| 8 |
> >>return to libc attacks? Judging from the gcc USE flags, it seems to be |
| 9 |
> >>there at least -- is it also activated automatically? |
| 10 |
> > |
| 11 |
> > What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc, |
| 12 |
> > etc) with the security oriented stuff. And also a security oriented |
| 13 |
> > kernel (hardened-sources) that includes stuff like address space |
| 14 |
> > randomization, stronger chroot, etc .. |
| 15 |
> > |
| 16 |
> |
| 17 |
> Too bad the latest firefox upgrade filters out -fstack-protector... |
| 18 |
> |
| 19 |
> I don't run hardened per-se, but I do use stack-smashing protection. |
| 20 |
> I'm not sure why it isn't a default-supported config on gentoo. A fair |
| 21 |
> number of ebuilds don't work with it. We also used to have the |
| 22 |
> grsecurity patches in gentoo-sources, but I don't think this is the case |
| 23 |
> anymore. |
| 24 |
> |
| 25 |
> It seems odd that these aren't standard gentoo features. That would |
| 26 |
> probably give them more widespread support rather than devs just looking |
| 27 |
> at you funny when you mention having something other than -O2 in your |
| 28 |
> CFLAGS. Other than for debugging is there any reason not to have |
| 29 |
> stack-smashing protection and address-space randomization? |
| 30 |
|
| 31 |
The big reason would be because gcc 3.3.x (the stable compiler on x86) |
| 32 |
doesn't support it. It has a patch that adds the option to gcc, but it |
| 33 |
does nothing. Until x86 is on 3.4.x by default, you can't expect full |
| 34 |
support for stack-protector. |
| 35 |
|
| 36 |
Daniel |
| 37 |
|
| 38 |
-- |
| 39 |
gentoo-amd64@g.o mailing list |
Archives