Archives
Archives
| From: | Francesco Riosa <vivo75@×××××.com> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | ||
| Date: | Mon, 23 Jan 2012 20:13:51 | ||
| Message-Id: | CAD6zcDxqf4ka2_b81hErbBfn-S9ec3PGzSmga7JUxAf=6PC2vg@mail.gmail.com | ||
| In Reply to: | Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? by Mike Gilbert |
||
| 1 | 2012/1/23 Mike Gilbert <floppym@g.o>: |
| 2 | > On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld <Jason@×××××.com> wrote: |
| 3 | >> To check for PIE, |
| 4 | >> |
| 5 | >> readelf -h /bin/su | grep Type |
| 6 | >> |
| 7 | >> If it says EXEC, no PIE. If it says DYN, yes PIE. |
| 8 | > |
| 9 | > I'm asking "how does one enable PIE/ASLR", not how to check if it is |
| 10 | > enabled already. |
| 11 | |
| 12 | - PIE should be -fPIC also for the executable, not only for the .so |
| 13 | (has a performance impact) |
| 14 | - ASLR you need "hardened" use for gcc, and the toolchain, pax kernel help too |
| 15 | |
| 16 | xattr could be used to reduce the number of suid binaries, but need |
| 17 | support in portage |
| 18 | |
| 19 | right? |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | Zac Medico <zmedico@g.o> |
| Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? | Mike Frysinger <vapier@g.o> |