From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Rqrf9-0002z2-6X for garchives@archives.gentoo.org; Fri, 27 Jan 2012 19:40:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0D304E07A4; Fri, 27 Jan 2012 19:40:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 10BD7E079E for ; Fri, 27 Jan 2012 19:39:44 +0000 (UTC) Received: from phjr-macbookpro.local (fi122.internetdsl.tpnet.pl [80.53.34.122]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id 56298643ED for ; Fri, 27 Jan 2012 19:39:43 +0000 (UTC) Message-ID: <4F22FD6C.2020807@gentoo.org> Date: Fri, 27 Jan 2012 20:39:24 +0100 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor? References: <201201240058.50060.vapier@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.3.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig7247F5D05548785FE37004B4" X-Archives-Salt: e2ceba29-6afa-40d1-a2a8-63b61f568ccc X-Archives-Hash: 9f4a2c82110213dff97b061ab8e831ad This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig7247F5D05548785FE37004B4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 1/27/12 8:02 PM, Jason A. Donenfeld wrote: > I've just been informed that RHEL does not allow non-PIE executables. W= e > really should follow suit here. I'm generally in favor of enabling more hardening features by default (i.e. reversing the default, so that people who want to disable PIE can still do it). Note that the hardened profile uses PIE by default iirc. The most common argument against it is performance loss I think, and there are probably less than 10 packages that have some compilation issues with PIE. In my opinion we can deal with that, and security benefits are much more important. If the discussion on this doesn't get conclusive, how about adding the question to the Council's agenda? --------------enig7247F5D05548785FE37004B4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAk8i/XYACgkQuUQtlDBCeQIjjQCggHjSyNevQNvkBwernNP3uxDk rOcAn37S+Xh1anSDxdY7rhFenC74kM7r =+g8I -----END PGP SIGNATURE----- --------------enig7247F5D05548785FE37004B4--