From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-49568-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RqSdL-0002h3-Ob
	for garchives@archives.gentoo.org; Thu, 26 Jan 2012 16:57:11 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 44862E08CE;
	Thu, 26 Jan 2012 16:56:57 +0000 (UTC)
Received: from homiemail-a37.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81])
	by pigeon.gentoo.org (Postfix) with ESMTP id 54333E08B1
	for <gentoo-dev@lists.gentoo.org>; Thu, 26 Jan 2012 16:55:56 +0000 (UTC)
Received: from homiemail-a37.g.dreamhost.com (localhost [127.0.0.1])
	by homiemail-a37.g.dreamhost.com (Postfix) with ESMTP id 1D3EE208069
	for <gentoo-dev@lists.gentoo.org>; Thu, 26 Jan 2012 08:55:55 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=zx2c4.com; h=mime-version
	:in-reply-to:references:date:message-id:subject:from:to:
	content-type; q=dns; s=zx2c4.com; b=oxsNzJz2kWFh9AtNhzt4moZAlZYe
	xe0r75iHkTHuySSyUP1WLcTP3ktwU0gUb+SHOAWHq22mtnAcUZtmlgLxxlt1s30p
	Q6P8TekZ+bXM9uJp9/iaaAucaM4ONxL7j3sJ9rPH54O9bBtUC05IsKH6dD/PPNAT
	J6BRM/Zz8m9KdQs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version
	:in-reply-to:references:date:message-id:subject:from:to:
	content-type; s=zx2c4.com; bh=ZDOkE46jPdTU6VDpbt5wFtTdFKU=; b=Hf
	m8JHs59yB62TahLQs0+MZQFltRZbg1r86OJwaHoeFvBYTpbwon9FWFXDovg/Xbfo
	nqcB+nvNEWCVyC9kKg9E7zXq+paPXvpObBjjarz8bcQR0V6H/xjnaQxvOCcwqo1b
	1Yp7Sl52aVxLYD+oQ2kt096VArry88WM6Eft4eUAg=
Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.216.181])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: jason@zx2c4.com)
	by homiemail-a37.g.dreamhost.com (Postfix) with ESMTPSA id E29AF208061
	for <gentoo-dev@lists.gentoo.org>; Thu, 26 Jan 2012 08:55:54 -0800 (PST)
Received: by qcpx40 with SMTP id x40so568271qcp.40
        for <gentoo-dev@lists.gentoo.org>; Thu, 26 Jan 2012 08:55:54 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.229.135.20 with SMTP id l20mr1088140qct.77.1327596954122; Thu,
 26 Jan 2012 08:55:54 -0800 (PST)
Received: by 10.229.89.205 with HTTP; Thu, 26 Jan 2012 08:55:54 -0800 (PST)
In-Reply-To: <201201240058.50060.vapier@gentoo.org>
References: <CAHmME9oDzehZRbOM90u4viQa+xQuHQGyZfcvtqY-8JEWfDSUdA@mail.gmail.com>
	<201201240058.50060.vapier@gentoo.org>
Date: Thu, 26 Jan 2012 17:55:54 +0100
Message-ID: <CAHmME9pyQ7nf+5m==0zvp1R4H7F5UcT-98A5B7C3Cr18Hv789A@mail.gmail.com>
Subject: Re: [gentoo-dev] Can we get PIE on all SUID binaries by default, por favor?
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: gentoo-dev@lists.gentoo.org
Content-Type: multipart/alternative; boundary=00248c6a5adedafbe004b7714043
X-Archives-Salt: 77a0a65c-334b-4631-990a-7975f3319347
X-Archives-Hash: 239be25a522fc7d90e89ac87fd63a0fe

--00248c6a5adedafbe004b7714043
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Jan 24, 2012 at 06:58, Mike Frysinger <vapier@gentoo.org> wrote:
>
> pedantically, PIE+ASLR makes it significantly harder to exploit, not
> impossible
>
> if we could get some general performance numbers that show non-PIE vs PIE,
> that'd help make the case for turning PIE on by default regardless of
> set*id.
>

For starters, though, what about just pooping a Q&A warning for non-PIE
SUID? That way those packages could be fixed, and we'd have a little trial
to see how PIE behaves across different platforms. If that all goes well,
we bump up to default, but that's a far off discussion.



> -mike
>

--00248c6a5adedafbe004b7714043
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><div class=3D"gmail_quote">On Tue, Jan 24, 2012 at 06:58, Mike Frysinge=
r <span dir=3D"ltr">&lt;<a href=3D"mailto:vapier@gentoo.org">vapier@gentoo.=
org</a>&gt;</span> wrote:<blockquote class=3D"gmail_quote" style=3D"margin:=
0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

pedantically, PIE+ASLR makes it significantly harder to exploit, not imposs=
ible<br>
<br>
if we could get some general performance numbers that show non-PIE vs PIE,<=
br>
that&#39;d help make the case for turning PIE on by default regardless of s=
et*id.<br></blockquote><div><br></div><div>For starters, though, what about=
 just pooping a Q&amp;A warning for non-PIE SUID? That way those packages c=
ould be fixed, and we&#39;d have a little trial to see how PIE behaves acro=
ss different platforms. If that all goes well, we bump up to default, but t=
hat&#39;s a far off discussion.</div>
<div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font color=3D"#888888">-mike<br>
</font></blockquote></div><br><br>

--00248c6a5adedafbe004b7714043--