1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Olivier Crête wrote: |
5 |
> On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote: |
6 |
>>Do we have stack-smashing protection, and can this actually help against |
7 |
>>return to libc attacks? Judging from the gcc USE flags, it seems to be |
8 |
>>there at least -- is it also activated automatically? |
9 |
> |
10 |
> What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc, |
11 |
> etc) with the security oriented stuff. And also a security oriented |
12 |
> kernel (hardened-sources) that includes stuff like address space |
13 |
> randomization, stronger chroot, etc .. |
14 |
> |
15 |
|
16 |
Too bad the latest firefox upgrade filters out -fstack-protector... |
17 |
|
18 |
I don't run hardened per-se, but I do use stack-smashing protection. |
19 |
I'm not sure why it isn't a default-supported config on gentoo. A fair |
20 |
number of ebuilds don't work with it. We also used to have the |
21 |
grsecurity patches in gentoo-sources, but I don't think this is the case |
22 |
anymore. |
23 |
|
24 |
It seems odd that these aren't standard gentoo features. That would |
25 |
probably give them more widespread support rather than devs just looking |
26 |
at you funny when you mention having something other than -O2 in your |
27 |
CFLAGS. Other than for debugging is there any reason not to have |
28 |
stack-smashing protection and address-space randomization? |
29 |
-----BEGIN PGP SIGNATURE----- |
30 |
Version: GnuPG v1.4.1 (GNU/Linux) |
31 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
32 |
|
33 |
iD8DBQFDRTHRg2bN8aFizRkRAr6ZAKC30KYKEj3rf31OknczHOkTLhXPngCfS+Fi |
34 |
o5cZuGPqKOB4cwHn+7vVWIY= |
35 |
=/FxO |
36 |
-----END PGP SIGNATURE----- |