Module Name: src
Committed By: jruoho
Date: Wed Apr 21 05:39:13 UTC 2010
Modified Files:
src/share/man/man8: security.8
Log Message:
Add a paragraph also for "FORTIFY_SOURCE" (or USE_FORT).
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/share/man/man8/security.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man8/security.8
diff -u src/share/man/man8/security.8:1.21 src/share/man/man8/security.8:1.22
--- src/share/man/man8/security.8:1.21 Wed Apr 21 05:05:07 2010
+++ src/share/man/man8/security.8 Wed Apr 21 05:39:13 2010
@@ -1,4 +1,4 @@
-.\" $NetBSD: security.8,v 1.21 2010/04/21 05:05:07 jruoho Exp $
+.\" $NetBSD: security.8,v 1.22 2010/04/21 05:39:13 jruoho Exp $
.\"
.\" Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
.\" All rights reserved.
@@ -296,6 +296,35 @@
.Nx 6.0 ,
.Em SSP
is used by default on i386 and amd64 architectures.
+.Ss FORTIFY_SOURCE
+The so-called
+.Em FORTIFY_SOURCE
+is a relatively simple technique to detect a subset of buffer overflows
+before these can do damage.
+It is integrated to
+.Xr gcc 1
+together with some common memory and string functions in the standard
+C library of
+.Nx .
+.Pp
+The underlying idea builds on the observation that there are cases where
+the compiler knows the size of a buffer (cf.
+.Xr __builtin_object_size 3 ) .
+If a buffer overflow is suspected in a function that does little or no
+bounds checking, either a compile time warning can be issued or a
+safer substitute function can be used at runtime.
+.Pp
+The
+.Em FORTIY_SOURCE
+is enabled by default in some parts of the
+.Nx
+source tree.
+It is also possible to explicitly enable it by defining
+the following in
+.Xr mk.conf 5 :
+.Bd -literal -offset indent
+USE_FORT=yes
+.Ed
.Sh PER-USER TEMPORARY STORAGE
It is possible to configure per-user temporary storage to avoid potential
security issues (race conditions, etc.) in programs that do not make secure
