| 1 |
Il giorno lun, 23/01/2012 alle 20.26 +0100, Jason A. Donenfeld ha |
| 2 |
scritto: |
| 3 |
> When ASLR is turned on, the .text section of executables compiled with |
| 4 |
> PIE is given a randomized base address. When ASLR is off or when PIE |
| 5 |
> is not used, the base address is predictable, so it's easy to find |
| 6 |
> where to write into. |
| 7 |
|
| 8 |
Yup, I know that. I was just making sure that the actual prevention came |
| 9 |
from ASLR and not PIE by itself. Both because there is at least one |
| 10 |
sci-math package that cannot build with ASLR (randomize_va_space) turned |
| 11 |
on, and because it would have disproven my old blog post: |
| 12 |
|
| 13 |
http://blog.flameeyes.eu/2009/11/02/the-pie-is-not-exactly-a-lie |
| 14 |
|
| 15 |
|
| 16 |
> Doesn't portage already have a check on SUID executables where it |
| 17 |
> checks to see if they meet a certain standard and also strips them of |
| 18 |
> read capabilities? Couldn't we just add a Q&A blurb to this, so that |
| 19 |
> if any SUID executables are merged that aren't PIE, there's a nice |
| 20 |
> yellow warning? And then gradually package maintainers would add the |
| 21 |
> required patches? |
| 22 |
|
| 23 |
Stripping a compiled file of read permissions is quick, painless and |
| 24 |
(mostly) safe from errors. Changing the way it is compiled.. not so |
| 25 |
much. |
| 26 |
|
| 27 |
I'm not saying that it's not a good idea, but if we want to proceed with |
| 28 |
this, there has to be someone who goes to look at all the packages and |
| 29 |
corrects them. |
| 30 |
|
| 31 |
I've not been running the tinderbox for a while both because I have very |
| 32 |
little time to _file_ bugs, but more importantly because, being there to |
| 33 |
file bugs only, without the time to tackle them, the result was a bunch |
| 34 |
of grumpy devs who either needed to repeat the test on a new version, as |
| 35 |
the bug became stale, or found me positively annoying as I didn't fix |
| 36 |
the stuff myself. |
| 37 |
|
| 38 |
That said, I could fix up the tinderbox and make it run again, no |
| 39 |
problem there. I could even try to find the time to look at the logs |
| 40 |
and/or see if s3fs allows me to publish them for someone to look through |
| 41 |
them... and definitely identifying all the packages installing suid |
| 42 |
binaries is easier than looking through all the logs. |
| 43 |
|
| 44 |
But I'd rather not do that unless there is enough consensus that we'll |
| 45 |
be tackling the issue. |
| 46 |
|
| 47 |
-- |
| 48 |
Diego Elio Pettenò <flameeyes@g.o> |
| 49 |
Gentoo Linux |
Archives