On Thu, 2005-10-06 at 10:16 -0400, Richard Freeman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Olivier CrĂȘte wrote: > > On Thu, 2005-06-10 at 15:06 +0200, Marco Matthies wrote: > >>Do we have stack-smashing protection, and can this actually help against > >>return to libc attacks? Judging from the gcc USE flags, it seems to be > >>there at least -- is it also activated automatically? > > > > What you want is Gentoo Hardened [1]. They maintain a toolchain (gcc, > > etc) with the security oriented stuff. And also a security oriented > > kernel (hardened-sources) that includes stuff like address space > > randomization, stronger chroot, etc .. > > > > Too bad the latest firefox upgrade filters out -fstack-protector... > > I don't run hardened per-se, but I do use stack-smashing protection. > I'm not sure why it isn't a default-supported config on gentoo. A fair > number of ebuilds don't work with it. We also used to have the > grsecurity patches in gentoo-sources, but I don't think this is the case > anymore. > > It seems odd that these aren't standard gentoo features. That would > probably give them more widespread support rather than devs just looking > at you funny when you mention having something other than -O2 in your > CFLAGS. Other than for debugging is there any reason not to have > stack-smashing protection and address-space randomization?
The big reason would be because gcc 3.3.x (the stable compiler on x86) doesn't support it. It has a patch that adds the option to gcc, but it does nothing. Until x86 is on 3.4.x by default, you can't expect full support for stack-protector. Daniel -- [email protected] mailing list
