From owner-freebsd-security@FreeBSD.ORG Fri Oct 28 07:09:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E9916A41F for ; Fri, 28 Oct 2005 07:09:47 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from zeweb.mindstep.com (zeweb.mindstep.com [209.161.205.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB8A743D45 for ; Fri, 28 Oct 2005 07:09:46 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from localhost (localhost.local.mindstep.com [127.0.0.1]) by hottub.local.mindstep.com (Postfix) with ESMTP id 8707F5A5D for ; Fri, 28 Oct 2005 03:09:45 -0400 (EDT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from hottub.local.mindstep.com ([127.0.0.1]) by localhost (hottub.local.mindstep.com [127.0.0.1]) (amavisd-new, port port 10024) with LMTP id 15572-02-5 for ; Fri, 28 Oct 2005 03:09:45 -0400 (EDT) Received: from [192.168.50.146] (d213-103-11-67.cust.tele2.fr [213.103.11.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hottub.local.mindstep.com (Postfix) with ESMTP id 1763656DA for ; Fri, 28 Oct 2005 03:09:44 -0400 (EDT) (envelope-from patrick.bihan-faou@netzuno.com) Message-ID: <4361CEB5.8050305@netzuno.com> Date: Fri, 28 Oct 2005 09:09:41 +0200 From: Patrick Bihan-Faou Organization: netZuno Technologies User-Agent: Thunderbird 1.4.1 (Windows/20051006) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200510270608.51571.db@traceroute.dk> <200510271511.36004.db@traceroute.dk> <20051027195842.GA19013@ada.devbox.be> <200510272017.02565.db@traceroute.dk> In-Reply-To: <200510272017.02565.db@traceroute.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new on ZunoBox at hottub.local.mindstep.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on hottub.local.mindstep.com X-Mailman-Approved-At: Fri, 28 Oct 2005 14:27:28 +0000 Subject: Re: Non-executable stack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 07:09:47 -0000 db wrote: > On Thursday 27 October 2005 19:58, you wrote: > >>> Ok thanks, but I was looking for a kernel level patch. Btw which ports >>> will break? >>> >> I did not keep a list, but as far as I remember, the 'pure-pw' binary >> from pure-ftpd was the last thing that failed. Because it was not >> visible in first place (the port builded fine), I decided the risk of >> breaking things without noticing it was not worth it. >> > > Ok, I was planing on using pure-ftpd. > > >> I don't mean that it's a bad thing, but it will cost you some time to >> find the bugs, report the bugs and get them fixed. And if you are >> willing to use it in a production environment, you have to fully test >> the software eacht time you are upgrading to be sure things will not >> break. It's also not officially supported as far as I know. >> > > I'm not a kernel hacker and only have access to ia32, so I can't help develop > or test it, but I hope someone with the right skills and means also think > it's about time we give the admins and users the option of a non-executable > stack (and heap). If I can help in any way I will. Maybe my next computer > will be an AMD64, I think it must be the cheapest of the platforms with > hardware support for execute and read permission distinction on memory? > We are using the stack protection patches for GCC in production servers running FreeBSD 4.11 and everything runs well. We are using a fairly large number of ports (from samba to php to postgresql, etc.) and none have shown issues with this feature. Note that since it is a compiler and library patch, the kernel also benefits from it. I would say that if a port misbehaves with this, then it is more likely a problem with the port. I can't comment on how it work in FreeBSD 5 or 6, but in FreeBSD 4.11 it rocks. Patrick.