From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev-return-15980-arch-gentoo-dev=gentoo.org@lists.gentoo.org>
Received: (qmail 11572 invoked from network); 23 Sep 2004 14:05:34 +0000
Received: from smtp.gentoo.org (156.56.111.197)
  by lists.gentoo.org with AES256-SHA encrypted SMTP; 23 Sep 2004 14:05:34 +0000
Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org)
	by smtp.gentoo.org with esmtp (Exim 4.41)
	id 1CAUE1-0000Eu-GY
	for arch-gentoo-dev@lists.gentoo.org; Thu, 23 Sep 2004 14:05:33 +0000
Received: (qmail 26423 invoked by uid 89); 23 Sep 2004 14:05:32 +0000
Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-dev@gentoo.org>
List-Help: <mailto:gentoo-dev-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Received: (qmail 27598 invoked from network); 23 Sep 2004 14:05:31 +0000
Message-ID: <4152D819.4070205@gentoo.org>
Date: Thu, 23 Sep 2004 16:05:13 +0200
From: Thierry Carrez <koon@gentoo.org>
Organization: Gentoo Linux
User-Agent: Mozilla Thunderbird 0.8 (X11/20040918)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To:  gentoo-dev@lists.gentoo.org
CC:  gentoo-security@lists.gentoo.org
References: <4151A04F.5090304@comcast.net>  <41524A85.1020402@comcast.net> <1095917198.29656.64.camel@simple> <415289CF.7070708@gentoo.org>
In-Reply-To: <415289CF.7070708@gentoo.org>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-SCORT-MailScanner: Found to be clean
X-SCORT-MailScanner-SpamCheck: not spam, SpamAssassin (score=-4.9,
	required 5, autolearn=not spam, BAYES_00 -4.90)
Subject: [gentoo-dev] Re: Stack smash protected daemons
X-Archives-Salt: 55d00cba-9f22-496f-8e00-063492831091
X-Archives-Hash: 5c1f0c0aff57f4ed09a00459c7258647

Thierry Carrez wrote:

> Restricting ssp to daemons and +s programs is not very
> useful.

Clarifying this :

SSP is very useful, and it should be used on all executables on a given
machine. I don't think we should only use it to protect daemons and SUID
programs, since a lot of buffer overflows are discovered in client
software and they are also a way of remotely compromising a machine. If
you protect only exposed services, attackers will turn to passive
attacks, like virus images, to always exploit the weakest link.

-K

--
gentoo-dev@gentoo.org mailing list