Re: [gentoo-dev] Re: Stack smash protected daemons

[Ned Ludd <solar@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3536 bytes --]

dammit are we over complicating this?
You guys seem to be hung up on silly USE/FEATURE flag names.
How about we as Ciaran McCreesh proposed just add it to CFLAGS by
default and deploy stages in such a manner.
Solves everything for most cases and leave the option up to the user to
disable if he/she wants to.

On Thu, 2004-09-23 at 23:21, John Richard Moser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm probably repeting myself here . . .heh.
> 
> Thierry Carrez wrote:
> | Thierry Carrez wrote:
> |
> |
> |>Restricting ssp to daemons and +s programs is not very
> |>useful.
> |
> |
> | Clarifying this :
> |
> | SSP is very useful, and it should be used on all executables on a given
> | machine. I don't think we should only use it to protect daemons and SUID
> | programs, since a lot of buffer overflows are discovered in client
> | software and they are also a way of remotely compromising a machine. If
> | you protect only exposed services, attackers will turn to passive
> | attacks, like virus images, to always exploit the weakest link.
> |
> 
> How about, make.conf default and make.conf.example:
> 
> #
> # The "auto-nossp" USE flag will disable -fstack-protector on ebuilds
> # that take a significant hit from SSP and aren't a major security
> # threat.  Ebuilds that break with SSP will have SSP disabled in all
> # cases anyway.
> #USE="X"
> ...
> #
> # For added security, the -fstack-protector flag can be added to prevent
> # buffer overflow based attacks.  -fno-stack-protector will disable this
> # universally; nothing forces it on.
> #
> # Decent examples:
> #CFLAGS="-march=i686 -O2 -pipe -fstack-protector"
> #CFLAGS="-mcpu=pentium4 -O3 -pipe -fstack-protector"
> 
> 
> This solution may have extra perks.  As you said, more than just daemon
> software is affected.  Rather than tracking it all down, perhaps simply
> looking for not-always-great-for-SSP things such as gcc (can you attack
> gcc anyway?  No really, I want to know) and have a USE flag disable SSP
> for them.
> 
> Another reason for this route would be that using -fno-stack-protector
> in CFLAGS would be overriden by builds explicitely enabling
> - -fstack-protector.  Using -fstack-protector in CFLAGS would be overriden
> by ebuilds explicitely setting -fno-stack-protector.  The logical
> consequences of each (i.e. when -fstack would and wouldn't be applied
> based on combinations of the user and portage enabling/disabling it) in
> my eyes seem better with this approach.
> 
> It all depends on if you want fine control of programs which have SSP,
> or fine control of programs which don't have SSP.  This solution would
> be the latter, and I think it makes more sense than the original
> proposal; a wider spread usage of SSP is probably the only way to ensure
> the best protection.
> 
> Comments?
> 
> | -K
> |
> | --
> | gentoo-dev@gentoo.org mailing list
> |
> |
> 
> - --
> All content of all messages exchanged herein are left in the
> Public Domain, unless otherwise explicitly stated.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBU5K8hDd4aOud5P8RAo08AJ4xNx6IkHDjDhQX43sfKNiNJmz10wCfbrM7
> eI5ZweX0wl8uG7l0vH3Z+YI=
> =C/8F
> -----END PGP SIGNATURE-----
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]