| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Olivier Crête wrote: |
| 5 |
> On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote: |
| 6 |
>>Do we have stack-smashing protection, and can this actually help against |
| 7 |
>>return to libc attacks? Judging from the gcc USE flags, it seems to be |
| 8 |
>>there at least -- is it also activated automatically? |
| 9 |
> |
| 10 |
> What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc, |
| 11 |
> etc) with the security oriented stuff. And also a security oriented |
| 12 |
> kernel (hardened-sources) that includes stuff like address space |
| 13 |
> randomization, stronger chroot, etc .. |
| 14 |
> |
| 15 |
|
| 16 |
Too bad the latest firefox upgrade filters out -fstack-protector... |
| 17 |
|
| 18 |
I don't run hardened per-se, but I do use stack-smashing protection. |
| 19 |
I'm not sure why it isn't a default-supported config on gentoo. A fair |
| 20 |
number of ebuilds don't work with it. We also used to have the |
| 21 |
grsecurity patches in gentoo-sources, but I don't think this is the case |
| 22 |
anymore. |
| 23 |
|
| 24 |
It seems odd that these aren't standard gentoo features. That would |
| 25 |
probably give them more widespread support rather than devs just looking |
| 26 |
at you funny when you mention having something other than -O2 in your |
| 27 |
CFLAGS. Other than for debugging is there any reason not to have |
| 28 |
stack-smashing protection and address-space randomization? |
| 29 |
-----BEGIN PGP SIGNATURE----- |
| 30 |
Version: GnuPG v1.4.1 (GNU/Linux) |
| 31 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 32 |
|
| 33 |
iD8DBQFDRTHRg2bN8aFizRkRAr6ZAKC30KYKEj3rf31OknczHOkTLhXPngCfS+Fi |
| 34 |
o5cZuGPqKOB4cwHn+7vVWIY= |
| 35 |
=/FxO |
| 36 |
-----END PGP SIGNATURE----- |
Archives