Archives
Archives
| From: | "Paweł Hajdan | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? | ||
| Date: | Fri, 27 Jan 2012 19:40:43 | ||
| Message-Id: | 4F22FD6C.2020807@gentoo.org | ||
| In Reply to: | Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? by "Jason A. Donenfeld" |
||
| 1 | On 1/27/12 8:02 PM, Jason A. Donenfeld wrote: |
| 2 | > I've just been informed that RHEL does not allow non-PIE executables. We |
| 3 | > really should follow suit here. |
| 4 | |
| 5 | I'm generally in favor of enabling more hardening features by default |
| 6 | (i.e. reversing the default, so that people who want to disable PIE can |
| 7 | still do it). Note that the hardened profile uses PIE by default iirc. |
| 8 | |
| 9 | The most common argument against it is performance loss I think, and |
| 10 | there are probably less than 10 packages that have some compilation |
| 11 | issues with PIE. In my opinion we can deal with that, and security |
| 12 | benefits are much more important. |
| 13 | |
| 14 | If the discussion on this doesn't get conclusive, how about adding the |
| 15 | question to the Council's agenda? |
| File name | MIME type |
|---|---|
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? | Fabian Groffen <grobian@g.o> |
| Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? | Mike Frysinger <vapier@g.o> |
| Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? | "Jason A. Donenfeld" <Jason@×××××.com> |
| Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? | "Anthony G. Basile" <blueness@g.o> |