1 |
On Thu, 23 Sep 2004 16:05:13 +0200 Thierry Carrez <koon@g.o> |
2 |
wrote: |
3 |
| SSP is very useful, and it should be used on all executables on a |
4 |
| given machine. I don't think we should only use it to protect daemons |
5 |
| and SUID programs, since a lot of buffer overflows are discovered in |
6 |
| client software and they are also a way of remotely compromising a |
7 |
| machine. If you protect only exposed services, attackers will turn to |
8 |
| passive attacks, like virus images, to always exploit the weakest |
9 |
| link. |
10 |
|
11 |
Ok, so what you're basically saying is that you want a variable which |
12 |
enables -fstack-protector for any c executable at a global level. I'd |
13 |
like to propose a variable called 'CFLAGS' which can be set in make.conf |
14 |
for that kind of thing. |
15 |
|
16 |
-- |
17 |
Ciaran McCreesh : Gentoo Developer (Sparc, MIPS, Vim, Fluxbox) |
18 |
Mail : ciaranm at gentoo.org |
19 |
Web : http://dev.gentoo.org/~ciaranm |