1 |
John Richard Moser wrote: |
2 |
> It may be prudent to use extra protection on certain ebuilds in standard |
3 |
> Gentoo profiles where the changes would be significant in the case of a |
4 |
> security fault in the program. Such programs as daemons and chmod()+s |
5 |
> programs would be major targets for this sort of thing. |
6 |
> |
7 |
> The most immediately apparent route to take would be to have ebuilds |
8 |
> such as openssh, apache, and su stack smash protected. This would |
9 |
> prevent common buffer overflow attacks from being used to compromise |
10 |
> security; such attacks would only cause the program attacked to abort, |
11 |
> which could still be used as a Denial of Service attack, but would not |
12 |
> allow successful intrusion. |
13 |
> |
14 |
> Gentoo ships gcc with stack smash protection built in. This is |
15 |
> activated by -fstack-protector or -fstack-protector-all. It would be |
16 |
> feasible to add one of these flags to an ebuild based on a FEATURES or |
17 |
> USE setting. |
18 |
> |
19 |
> I believe it would be a good idea to have such a FEATURES or USE flag on |
20 |
> by default in all profiles where SSP is supported. In this manner, the |
21 |
> major targets of security attacks would automatically be protected; |
22 |
> while still allowing the user to disable the protection if the user |
23 |
> desires. Users wanting more protection can simply add -fstack-protector |
24 |
> to CFLAGS, or use Hardened Gentoo. |
25 |
> |
26 |
> Any comments? Would this be more suitable as a USE or a FEATURES setting? |
27 |
|
28 |
Uhm, I think the hardened project already takes care of these issues you're |
29 |
talking about unless I'm misunderstanding it. Check out the hardened website [1] |
30 |
and see if that solves the problems you're talking about. The best way is to |
31 |
build a system using one of the hardened stages. It comes with its own profile |
32 |
to make sure that all those stack smashing protection stuff is enabled in the |
33 |
gcc spec. The profile automatically has the hardened use flag enabled and allows |
34 |
you to create a full-blown (mostly) hardened system. |
35 |
|
36 |
[1] http://www.gentoo.org/proj/en/hardened/ |
37 |
|
38 |
-- |
39 |
Lance Albertson <ramereth@g.o> |
40 |
Gentoo Infrastructure |
41 |
|
42 |
--- |
43 |
Public GPG key: <http://www.ramereth.net/lance.asc> |
44 |
Key fingerprint: 0423 92F3 544A 1282 5AB1 4D07 416F A15D 27F4 B742 |
45 |
|
46 |
ramereth/irc.freenode.net |