1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Lance Albertson wrote: |
7 |
| John Richard Moser wrote: |
8 |
[...] |
9 |
| |
10 |
| Uhm, I think the hardened project already takes care of these issues |
11 |
you're |
12 |
| talking about unless I'm misunderstanding it. Check out the hardened |
13 |
website [1] |
14 |
| and see if that solves the problems you're talking about. The best way |
15 |
is to |
16 |
|
17 |
I use the stuff coming out of the Hardened Gentoo project regularly. |
18 |
Hardened allows a user to create basically a fortress for a system; what |
19 |
is being suggested here is to allow a user to set their system to shield |
20 |
the most exposed packages (i.e. daemons) from potential attacks on |
21 |
undiscovered security vulnerabilities without compiling an entire system |
22 |
- -fstack-protector |
23 |
|
24 |
|
25 |
|
26 |
On a side note, does Gentoo officially support -fstack-protector? I |
27 |
know that if you file a bug using rediculous CFLAGS="-march=athlon-xp |
28 |
- -msse -m3dnow -mmmx -O99 -mfpmath=sse,387 -freduce-all-givs |
29 |
- -fnumber-crunch -fmake-tasks-haul-ass" it gets marked INVALID; but what |
30 |
about -fstack-protector? That's supported by the hardened team, and |
31 |
it's fairly safe IMHO. How about something in the comments of make.conf |
32 |
like: |
33 |
|
34 |
# CPU types supported in gcc-2.95*: k6, i386, i486, i586 (Pentium), i686 |
35 |
# (Pentium Pro), pentium, pentiumpro Gentoo Linux 1.2 and below use |
36 |
# gcc-2.95* |
37 |
# |
38 |
# The security concious could add -fstack-protector to CFLAGS as well, |
39 |
# for some added security (see SSPDAEMONS below for FEATURES). This |
40 |
# should be safe; if something breaks, bug bugs.gentoo.org |
41 |
# |
42 |
# Decent examples: |
43 |
|
44 |
Leave it out of the example and default flags; but it's a harmless |
45 |
enough feature with good bonuses. Eh, maybe that's a stretch? I tend |
46 |
to recommend to people asking me to help them install Gentoo to put that |
47 |
in, and they tend not to have any problems (at least they never tell me |
48 |
about it); besides, it has to work anyway, as the hardened herd supports |
49 |
it. If it breaks something that's definitely a problem for Hardened. :P |
50 |
|
51 |
[...] |
52 |
|
53 |
| |
54 |
|
55 |
- -- |
56 |
All content of all messages exchanged herein are left in the |
57 |
Public Domain, unless otherwise explicitly stated. |
58 |
|
59 |
-----BEGIN PGP SIGNATURE----- |
60 |
Version: GnuPG v1.2.6 (GNU/Linux) |
61 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
62 |
|
63 |
iD8DBQFBUfAhhDd4aOud5P8RAk5PAJwNCYkoQBzP0TSN4pNQrTa3Qi3fXwCdGAXB |
64 |
/9QfsY5TKkuZ7hdyvgWCgr8= |
65 |
=UXkL |
66 |
-----END PGP SIGNATURE----- |
67 |
|
68 |
-- |
69 |
gentoo-dev@g.o mailing list |