Module Name: src Committed By: jruoho Date: Wed Apr 21 05:39:13 UTC 2010
Modified Files: src/share/man/man8: security.8 Log Message: Add a paragraph also for "FORTIFY_SOURCE" (or USE_FORT). To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/share/man/man8/security.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/share/man/man8/security.8 diff -u src/share/man/man8/security.8:1.21 src/share/man/man8/security.8:1.22 --- src/share/man/man8/security.8:1.21 Wed Apr 21 05:05:07 2010 +++ src/share/man/man8/security.8 Wed Apr 21 05:39:13 2010 @@ -1,4 +1,4 @@ -.\" $NetBSD: security.8,v 1.21 2010/04/21 05:05:07 jruoho Exp $ +.\" $NetBSD: security.8,v 1.22 2010/04/21 05:39:13 jruoho Exp $ .\" .\" Copyright (c) 2006 Elad Efrat <e...@netbsd.org> .\" All rights reserved. @@ -296,6 +296,35 @@ .Nx 6.0 , .Em SSP is used by default on i386 and amd64 architectures. +.Ss FORTIFY_SOURCE +The so-called +.Em FORTIFY_SOURCE +is a relatively simple technique to detect a subset of buffer overflows +before these can do damage. +It is integrated to +.Xr gcc 1 +together with some common memory and string functions in the standard +C library of +.Nx . +.Pp +The underlying idea builds on the observation that there are cases where +the compiler knows the size of a buffer (cf. +.Xr __builtin_object_size 3 ) . +If a buffer overflow is suspected in a function that does little or no +bounds checking, either a compile time warning can be issued or a +safer substitute function can be used at runtime. +.Pp +The +.Em FORTIY_SOURCE +is enabled by default in some parts of the +.Nx +source tree. +It is also possible to explicitly enable it by defining +the following in +.Xr mk.conf 5 : +.Bd -literal -offset indent +USE_FORT=yes +.Ed .Sh PER-USER TEMPORARY STORAGE It is possible to configure per-user temporary storage to avoid potential security issues (race conditions, etc.) in programs that do not make secure