| 1 |
On Thu, 23 Sep 2004 16:05:13 +0200 Thierry Carrez <koon@g.o> |
| 2 |
wrote: |
| 3 |
| SSP is very useful, and it should be used on all executables on a |
| 4 |
| given machine. I don't think we should only use it to protect daemons |
| 5 |
| and SUID programs, since a lot of buffer overflows are discovered in |
| 6 |
| client software and they are also a way of remotely compromising a |
| 7 |
| machine. If you protect only exposed services, attackers will turn to |
| 8 |
| passive attacks, like virus images, to always exploit the weakest |
| 9 |
| link. |
| 10 |
|
| 11 |
Ok, so what you're basically saying is that you want a variable which |
| 12 |
enables -fstack-protector for any c executable at a global level. I'd |
| 13 |
like to propose a variable called 'CFLAGS' which can be set in make.conf |
| 14 |
for that kind of thing. |
| 15 |
|
| 16 |
-- |
| 17 |
Ciaran McCreesh : Gentoo Developer (Sparc, MIPS, Vim, Fluxbox) |
| 18 |
Mail : ciaranm at gentoo.org |
| 19 |
Web : http://dev.gentoo.org/~ciaranm |
Archives