From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 698 invoked from network); 24 Sep 2004 03:22:33 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 24 Sep 2004 03:22:33 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CAgfB-0002fn-OP for arch-gentoo-security@lists.gentoo.org; Fri, 24 Sep 2004 03:22:29 +0000 Received: (qmail 30137 invoked by uid 89); 24 Sep 2004 03:21:42 +0000 Mailing-List: contact gentoo-security-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Received: (qmail 12641 invoked from network); 24 Sep 2004 03:21:41 +0000 Message-ID: <415392BD.1010905@comcast.net> Date: Thu, 23 Sep 2004 23:21:33 -0400 From: John Richard Moser User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040916) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Thierry Carrez CC: gentoo-dev@lists.gentoo.org, gentoo-security@lists.gentoo.org References: <4151A04F.5090304@comcast.net> <41524A85.1020402@comcast.net> <1095917198.29656.64.camel@simple> <415289CF.7070708@gentoo.org> <4152D819.4070205@gentoo.org> In-Reply-To: <4152D819.4070205@gentoo.org> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [gentoo-security] Re: [gentoo-dev] Re: Stack smash protected daemons X-Archives-Salt: da962fdf-0c73-46f0-a752-6827c4371684 X-Archives-Hash: 4732733a75cb21123d0aa61de50c2898 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm probably repeting myself here . . .heh. Thierry Carrez wrote: | Thierry Carrez wrote: | | |>Restricting ssp to daemons and +s programs is not very |>useful. | | | Clarifying this : | | SSP is very useful, and it should be used on all executables on a given | machine. I don't think we should only use it to protect daemons and SUID | programs, since a lot of buffer overflows are discovered in client | software and they are also a way of remotely compromising a machine. If | you protect only exposed services, attackers will turn to passive | attacks, like virus images, to always exploit the weakest link. | How about, make.conf default and make.conf.example: # # The "auto-nossp" USE flag will disable -fstack-protector on ebuilds # that take a significant hit from SSP and aren't a major security # threat. Ebuilds that break with SSP will have SSP disabled in all # cases anyway. #USE="X" ... # # For added security, the -fstack-protector flag can be added to prevent # buffer overflow based attacks. -fno-stack-protector will disable this # universally; nothing forces it on. # # Decent examples: #CFLAGS="-march=i686 -O2 -pipe -fstack-protector" #CFLAGS="-mcpu=pentium4 -O3 -pipe -fstack-protector" This solution may have extra perks. As you said, more than just daemon software is affected. Rather than tracking it all down, perhaps simply looking for not-always-great-for-SSP things such as gcc (can you attack gcc anyway? No really, I want to know) and have a USE flag disable SSP for them. Another reason for this route would be that using -fno-stack-protector in CFLAGS would be overriden by builds explicitely enabling - -fstack-protector. Using -fstack-protector in CFLAGS would be overriden by ebuilds explicitely setting -fno-stack-protector. The logical consequences of each (i.e. when -fstack would and wouldn't be applied based on combinations of the user and portage enabling/disabling it) in my eyes seem better with this approach. It all depends on if you want fine control of programs which have SSP, or fine control of programs which don't have SSP. This solution would be the latter, and I think it makes more sense than the original proposal; a wider spread usage of SSP is probably the only way to ensure the best protection. Comments? | -K | | -- | gentoo-dev@gentoo.org mailing list | | - -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitly stated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBU5K8hDd4aOud5P8RAo08AJ4xNx6IkHDjDhQX43sfKNiNJmz10wCfbrM7 eI5ZweX0wl8uG7l0vH3Z+YI= =C/8F -----END PGP SIGNATURE----- -- gentoo-security@gentoo.org mailing list