| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Marius Mauch wrote: |
| 7 |
| On 09/22/04 Mike Frysinger wrote: |
| 8 |
| |
| 9 |
| |
| 10 |
|>On Wednesday 22 September 2004 07:17 pm, Donnie Berkholz wrote: |
| 11 |
|> |
| 12 |
|
| 13 |
[...] |
| 14 |
|
| 15 |
|>that said, what needs to be done here in order to get the ball rolling |
| 16 |
|>? can we simply put together a function in flag-o-matic which will |
| 17 |
|>check FEATURES and ARCH and gcc, and then just `append-flags |
| 18 |
|>-fstack-protector` ? then in our system packages, just call this |
| 19 |
|>function ...-mike |
| 20 |
| |
| 21 |
| |
| 22 |
| What exactly would that FEATURE do ? If it really only affects CFLAGS I |
| 23 |
| don't see the need for another FEATURE flag at all. We already have ~30 |
| 24 |
| different flags, please lets try to avoid another USE desaster by not |
| 25 |
| adding new flags for trivial stuff. |
| 26 |
| |
| 27 |
|
| 28 |
Users could add -fstack-protector for global stack smash protection; |
| 29 |
what's proposed here is to alter certain packages to use |
| 30 |
- -fstack-protector based on their risk factor (the proposed measure of |
| 31 |
risk factor is if they're daemons, or if they're SETUID (chmod +s)). |
| 32 |
|
| 33 |
CFLAGS="-fstack-protector" |
| 34 |
|
| 35 |
*************************** |
| 36 |
*_ALL_PACKAGES____________* |
| 37 |
*__(Stack_Smash_Protected)* |
| 38 |
*_________________________* |
| 39 |
*_________________________* |
| 40 |
*_________________________* |
| 41 |
*_________________________* |
| 42 |
*_________________________* |
| 43 |
*************************** |
| 44 |
|
| 45 |
FEATURES="autossp" |
| 46 |
|
| 47 |
*************************** |
| 48 |
*_ALL_PACKAGES____________* |
| 49 |
*_________________________* |
| 50 |
*_________________________* |
| 51 |
****************__________* |
| 52 |
*_DAEMONS______*__________* |
| 53 |
*_(Stack_Smash *__________* |
| 54 |
*___Protected)_*__________* |
| 55 |
*************************** |
| 56 |
|
| 57 |
Does this clearly enough illustrate the difference? Rather than |
| 58 |
protecting everything including, say, ufed vim and gedit, only the |
| 59 |
obvious players are given extra padding (it's more like lightweight |
| 60 |
bioarmor; padding is clunky and reduces dexterity too much). |
| 61 |
|
| 62 |
This is easily compared to a football game: FEATURES="autossp" protects |
| 63 |
the players; while CFLAGS="-fstack-protector" protects the players, |
| 64 |
referee, cheerleaders, crowd, announcers, and sponsors. It's pretty |
| 65 |
obvious you don't want two 300 pound giants ramming into each other with |
| 66 |
no protection; it's not so obvious that the football might get kicked |
| 67 |
too far and hit someone in the crowd in the jaw. Those that fear this |
| 68 |
bring their own damn padding. |
| 69 |
|
| 70 |
| Marius |
| 71 |
| |
| 72 |
|
| 73 |
- -- |
| 74 |
All content of all messages exchanged herein are left in the |
| 75 |
Public Domain, unless otherwise explicitly stated. |
| 76 |
|
| 77 |
-----BEGIN PGP SIGNATURE----- |
| 78 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 79 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 80 |
|
| 81 |
iD8DBQFBUiw+hDd4aOud5P8RAiEgAJwOnPYfxYacjMvwhWD8JgDL2x4I6ACfZYH2 |
| 82 |
roG+jaC6Y6eyEMMZH6HTNuI= |
| 83 |
=Ozj/ |
| 84 |
-----END PGP SIGNATURE----- |
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-dev@g.o mailing list |
Archives