1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
I'm probably repeting myself here . . .heh. |
5 |
|
6 |
Thierry Carrez wrote: |
7 |
| Thierry Carrez wrote: |
8 |
| |
9 |
| |
10 |
|>Restricting ssp to daemons and +s programs is not very |
11 |
|>useful. |
12 |
| |
13 |
| |
14 |
| Clarifying this : |
15 |
| |
16 |
| SSP is very useful, and it should be used on all executables on a given |
17 |
| machine. I don't think we should only use it to protect daemons and SUID |
18 |
| programs, since a lot of buffer overflows are discovered in client |
19 |
| software and they are also a way of remotely compromising a machine. If |
20 |
| you protect only exposed services, attackers will turn to passive |
21 |
| attacks, like virus images, to always exploit the weakest link. |
22 |
| |
23 |
|
24 |
How about, make.conf default and make.conf.example: |
25 |
|
26 |
# |
27 |
# The "auto-nossp" USE flag will disable -fstack-protector on ebuilds |
28 |
# that take a significant hit from SSP and aren't a major security |
29 |
# threat. Ebuilds that break with SSP will have SSP disabled in all |
30 |
# cases anyway. |
31 |
#USE="X" |
32 |
... |
33 |
# |
34 |
# For added security, the -fstack-protector flag can be added to prevent |
35 |
# buffer overflow based attacks. -fno-stack-protector will disable this |
36 |
# universally; nothing forces it on. |
37 |
# |
38 |
# Decent examples: |
39 |
#CFLAGS="-march=i686 -O2 -pipe -fstack-protector" |
40 |
#CFLAGS="-mcpu=pentium4 -O3 -pipe -fstack-protector" |
41 |
|
42 |
|
43 |
This solution may have extra perks. As you said, more than just daemon |
44 |
software is affected. Rather than tracking it all down, perhaps simply |
45 |
looking for not-always-great-for-SSP things such as gcc (can you attack |
46 |
gcc anyway? No really, I want to know) and have a USE flag disable SSP |
47 |
for them. |
48 |
|
49 |
Another reason for this route would be that using -fno-stack-protector |
50 |
in CFLAGS would be overriden by builds explicitely enabling |
51 |
- -fstack-protector. Using -fstack-protector in CFLAGS would be overriden |
52 |
by ebuilds explicitely setting -fno-stack-protector. The logical |
53 |
consequences of each (i.e. when -fstack would and wouldn't be applied |
54 |
based on combinations of the user and portage enabling/disabling it) in |
55 |
my eyes seem better with this approach. |
56 |
|
57 |
It all depends on if you want fine control of programs which have SSP, |
58 |
or fine control of programs which don't have SSP. This solution would |
59 |
be the latter, and I think it makes more sense than the original |
60 |
proposal; a wider spread usage of SSP is probably the only way to ensure |
61 |
the best protection. |
62 |
|
63 |
Comments? |
64 |
|
65 |
| -K |
66 |
| |
67 |
| -- |
68 |
| gentoo-dev@g.o mailing list |
69 |
| |
70 |
| |
71 |
|
72 |
- -- |
73 |
All content of all messages exchanged herein are left in the |
74 |
Public Domain, unless otherwise explicitly stated. |
75 |
|
76 |
-----BEGIN PGP SIGNATURE----- |
77 |
Version: GnuPG v1.2.6 (GNU/Linux) |
78 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
79 |
|
80 |
iD8DBQFBU5K8hDd4aOud5P8RAo08AJ4xNx6IkHDjDhQX43sfKNiNJmz10wCfbrM7 |
81 |
eI5ZweX0wl8uG7l0vH3Z+YI= |
82 |
=C/8F |
83 |
-----END PGP SIGNATURE----- |
84 |
|
85 |
-- |
86 |
gentoo-dev@g.o mailing list |