| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Lance Albertson wrote: |
| 7 |
| John Richard Moser wrote: |
| 8 |
[...] |
| 9 |
| |
| 10 |
| Uhm, I think the hardened project already takes care of these issues |
| 11 |
you're |
| 12 |
| talking about unless I'm misunderstanding it. Check out the hardened |
| 13 |
website [1] |
| 14 |
| and see if that solves the problems you're talking about. The best way |
| 15 |
is to |
| 16 |
|
| 17 |
I use the stuff coming out of the Hardened Gentoo project regularly. |
| 18 |
Hardened allows a user to create basically a fortress for a system; what |
| 19 |
is being suggested here is to allow a user to set their system to shield |
| 20 |
the most exposed packages (i.e. daemons) from potential attacks on |
| 21 |
undiscovered security vulnerabilities without compiling an entire system |
| 22 |
- -fstack-protector |
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
On a side note, does Gentoo officially support -fstack-protector? I |
| 27 |
know that if you file a bug using rediculous CFLAGS="-march=athlon-xp |
| 28 |
- -msse -m3dnow -mmmx -O99 -mfpmath=sse,387 -freduce-all-givs |
| 29 |
- -fnumber-crunch -fmake-tasks-haul-ass" it gets marked INVALID; but what |
| 30 |
about -fstack-protector? That's supported by the hardened team, and |
| 31 |
it's fairly safe IMHO. How about something in the comments of make.conf |
| 32 |
like: |
| 33 |
|
| 34 |
# CPU types supported in gcc-2.95*: k6, i386, i486, i586 (Pentium), i686 |
| 35 |
# (Pentium Pro), pentium, pentiumpro Gentoo Linux 1.2 and below use |
| 36 |
# gcc-2.95* |
| 37 |
# |
| 38 |
# The security concious could add -fstack-protector to CFLAGS as well, |
| 39 |
# for some added security (see SSPDAEMONS below for FEATURES). This |
| 40 |
# should be safe; if something breaks, bug bugs.gentoo.org |
| 41 |
# |
| 42 |
# Decent examples: |
| 43 |
|
| 44 |
Leave it out of the example and default flags; but it's a harmless |
| 45 |
enough feature with good bonuses. Eh, maybe that's a stretch? I tend |
| 46 |
to recommend to people asking me to help them install Gentoo to put that |
| 47 |
in, and they tend not to have any problems (at least they never tell me |
| 48 |
about it); besides, it has to work anyway, as the hardened herd supports |
| 49 |
it. If it breaks something that's definitely a problem for Hardened. :P |
| 50 |
|
| 51 |
[...] |
| 52 |
|
| 53 |
| |
| 54 |
|
| 55 |
- -- |
| 56 |
All content of all messages exchanged herein are left in the |
| 57 |
Public Domain, unless otherwise explicitly stated. |
| 58 |
|
| 59 |
-----BEGIN PGP SIGNATURE----- |
| 60 |
Version: GnuPG v1.2.6 (GNU/Linux) |
| 61 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 62 |
|
| 63 |
iD8DBQFBUfAhhDd4aOud5P8RAk5PAJwNCYkoQBzP0TSN4pNQrTa3Qi3fXwCdGAXB |
| 64 |
/9QfsY5TKkuZ7hdyvgWCgr8= |
| 65 |
=UXkL |
| 66 |
-----END PGP SIGNATURE----- |
| 67 |
|
| 68 |
-- |
| 69 |
gentoo-dev@g.o mailing list |
Archives