Date: Fri, 28 Oct 2005 09:09:41 +0200 From: Patrick Bihan-Faou <patrick.bihan-faou@netzuno.com> To: freebsd-security@freebsd.org Subject: Re: Non-executable stack Message-ID: <4361CEB5.8050305@netzuno.com> In-Reply-To: <200510272017.02565.db@traceroute.dk> References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051027195842.GA19013@ada.devbox.be> <200510272017.02565.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
db wrote: > On Thursday 27 October 2005 19:58, you wrote: > >>> Ok thanks, but I was looking for a kernel level patch. Btw which ports >>> will break? >>> >> I did not keep a list, but as far as I remember, the 'pure-pw' binary >> from pure-ftpd was the last thing that failed. Because it was not >> visible in first place (the port builded fine), I decided the risk of >> breaking things without noticing it was not worth it. >> > > Ok, I was planing on using pure-ftpd. > > >> I don't mean that it's a bad thing, but it will cost you some time to >> find the bugs, report the bugs and get them fixed. And if you are >> willing to use it in a production environment, you have to fully test >> the software eacht time you are upgrading to be sure things will not >> break. It's also not officially supported as far as I know. >> > > I'm not a kernel hacker and only have access to ia32, so I can't help develop > or test it, but I hope someone with the right skills and means also think > it's about time we give the admins and users the option of a non-executable > stack (and heap). If I can help in any way I will. Maybe my next computer > will be an AMD64, I think it must be the cheapest of the platforms with > hardware support for execute and read permission distinction on memory? > We are using the stack protection patches for GCC in production servers running FreeBSD 4.11 and everything runs well. We are using a fairly large number of ports (from samba to php to postgresql, etc.) and none have shown issues with this feature. Note that since it is a compiler and library patch, the kernel also benefits from it. I would say that if a port misbehaves with this, then it is more likely a problem with the port. I can't comment on how it work in FreeBSD 5 or 6, but in FreeBSD 4.11 it rocks. Patrick.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4361CEB5.8050305>