Gentoo Archives: gentoo-security

From: John Richard Moser <nigelenki@×××××××.net>
To: gentoo-security@l.g.o, gentoo-dev@l.g.o
Subject: [gentoo-security] Stack smash protected daemons
Date: Wed, 22 Sep 2004 15:52:54
Message-Id: 4151A04F.5090304@comcast.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 It may be prudent to use extra protection on certain ebuilds in standard
5 Gentoo profiles where the changes would be significant in the case of a
6 security fault in the program. Such programs as daemons and chmod()+s
7 programs would be major targets for this sort of thing.
8
9 The most immediately apparent route to take would be to have ebuilds
10 such as openssh, apache, and su stack smash protected. This would
11 prevent common buffer overflow attacks from being used to compromise
12 security; such attacks would only cause the program attacked to abort,
13 which could still be used as a Denial of Service attack, but would not
14 allow successful intrusion.
15
16 Gentoo ships gcc with stack smash protection built in. This is
17 activated by -fstack-protector or -fstack-protector-all. It would be
18 feasible to add one of these flags to an ebuild based on a FEATURES or
19 USE setting.
20
21 I believe it would be a good idea to have such a FEATURES or USE flag on
22 by default in all profiles where SSP is supported. In this manner, the
23 major targets of security attacks would automatically be protected;
24 while still allowing the user to disable the protection if the user
25 desires. Users wanting more protection can simply add -fstack-protector
26 to CFLAGS, or use Hardened Gentoo.
27
28 Any comments? Would this be more suitable as a USE or a FEATURES setting?
29
30 - --
31 All content of all messages exchanged herein are left in the
32 Public Domain, unless otherwise explicitly stated.
33
34 -----BEGIN PGP SIGNATURE-----
35 Version: GnuPG v1.2.6 (GNU/Linux)
36 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
37
38 iD8DBQFBUaBOhDd4aOud5P8RAv/sAKCGx+cy5D3U35jDvGEFV5fcInF2fwCfbvGM
39 QvF8iaV8fuNFVQcintwy+2o=
40 =4Gdc
41 -----END PGP SIGNATURE-----
42
43 --
44 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Stack smash protected daemons Tobias Klausmann <klausman@××××××××××××.de>
[gentoo-security] Re: [gentoo-dev] Stack smash protected daemons Ned Ludd <solar@g.o>
[gentoo-security] Re: [gentoo-dev] Stack smash protected daemons John Richard Moser <nigelenki@×××××××.net>
[gentoo-security] Re: [gentoo-dev] Stack smash protected daemons John Richard Moser <nigelenki@×××××××.net>