From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13852 invoked from network); 23 Sep 2004 16:31:04 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 23 Sep 2004 16:31:04 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CAWUp-0003MQ-6D for arch-gentoo-dev@lists.gentoo.org; Thu, 23 Sep 2004 16:31:03 +0000 Received: (qmail 9862 invoked by uid 89); 23 Sep 2004 16:31:01 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 12322 invoked from network); 23 Sep 2004 16:31:01 +0000 Date: Thu, 23 Sep 2004 17:27:35 +0100 From: Ciaran McCreesh To: gentoo-dev@lists.gentoo.org Message-ID: <20040923172735.3f7494df@snowdrop.home> In-Reply-To: <4152D819.4070205@gentoo.org> References: <4151A04F.5090304@comcast.net> <41524A85.1020402@comcast.net> <1095917198.29656.64.camel@simple> <415289CF.7070708@gentoo.org> <4152D819.4070205@gentoo.org> X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Thu__23_Sep_2004_17_27_36_+0100_Z9emewj38n7Tumyi" Subject: Re: [gentoo-dev] Re: Stack smash protected daemons X-Archives-Salt: 5187756d-7ac3-4d74-a471-42315c619172 X-Archives-Hash: 9c90cac9d6bc3c309a0e1eead2cabf41 --Signature=_Thu__23_Sep_2004_17_27_36_+0100_Z9emewj38n7Tumyi Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Thu, 23 Sep 2004 16:05:13 +0200 Thierry Carrez wrote: | SSP is very useful, and it should be used on all executables on a | given machine. I don't think we should only use it to protect daemons | and SUID programs, since a lot of buffer overflows are discovered in | client software and they are also a way of remotely compromising a | machine. If you protect only exposed services, attackers will turn to | passive attacks, like virus images, to always exploit the weakest | link. Ok, so what you're basically saying is that you want a variable which enables -fstack-protector for any c executable at a global level. I'd like to propose a variable called 'CFLAGS' which can be set in make.conf for that kind of thing. -- Ciaran McCreesh : Gentoo Developer (Sparc, MIPS, Vim, Fluxbox) Mail : ciaranm at gentoo.org Web : http://dev.gentoo.org/~ciaranm --Signature=_Thu__23_Sep_2004_17_27_36_+0100_Z9emewj38n7Tumyi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBUvl796zL6DUtXhERArDgAJ9EGVSctHMbQya1JhQtmDdP+0fWCgCgt25/ 51ApKqsOhfzYuSqdmxy/fJE= =dMsP -----END PGP SIGNATURE----- --Signature=_Thu__23_Sep_2004_17_27_36_+0100_Z9emewj38n7Tumyi--