From owner-freebsd-security@FreeBSD.ORG Tue Aug 12 04:21:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B92B637B401 for ; Tue, 12 Aug 2003 04:21:37 -0700 (PDT) Received: from amsfep13-int.chello.nl (amsfep13-int.chello.nl [213.46.243.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55ED543F75 for ; Tue, 12 Aug 2003 04:21:36 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from internal ([213.46.141.159]) by amsfep13-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030812112133.DZRP16676.amsfep13-int.chello.nl@internal>; Tue, 12 Aug 2003 13:21:33 +0200 From: "Devon H. O'Dell" To: "'Peter Jeremy'" Date: Tue, 12 Aug 2003 13:21:11 +0200 Organization: SiteTronics Message-ID: <004001c360c3$da6cf9d0$9f8d2ed5@internal> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <20030812111522.GA66788@cirb503493.alcatel.com.au> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: security@freebsd.org Subject: RE: realpath(3) et al X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2003 11:21:38 -0000 It, would though, be trivial to implement this with a #define based upon = the kernel configuration, would it not? Protecting against stack smashing is quite important; I think many hosting environments not using LISP or = other executable-stack-reliant packages would benefit from this. By negating = the ability to execute injected code through a buffer overflow, security is highly increased. By implementing it as a kernel configuration option, I don't think we would lose out at all. Kind regards, Devon H. O'Dell Systems and Network Engineer Simpli, Inc. Web Hosting http://www.simpli.biz > -----Oorspronkelijk bericht----- > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > security@freebsd.org] Namens Peter Jeremy > Verzonden: Tuesday, August 12, 2003 1:15 PM > Aan: Devon H. O'Dell > CC: security@freebsd.org > Onderwerp: Re: realpath(3) et al >=20 > On Tue, Aug 12, 2003 at 11:02:16AM +0200, Devon H. O'Dell wrote: > >Features such as a protected stack should, IMO, be implemented as = soon as > >possible to keep FreeBSD heads-afloat right now in the security = sense.... > >OpenBSD has implemented this already and there are many patches for = Linux > to > >do the same... why don't we go ahead and shove some of this code into CVS? >=20 > By "protected" I presume you mean "non-executable". Whilst making the > stack non-executable is trivial, making the system still work isn't. > I believe the FreeBSD signal handling still relies on a signal > trampoline on the stack. Some ports also expect an executable stack > (most commonly lisp implementations). >=20 > Some years ago, I tried implementing a non-executable stack on a > Solaris box. Interleaf promptly stopped working so I had to undo the > change. >=20 > Peter > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org"