From owner-freebsd-security@FreeBSD.ORG Tue Dec 25 15:08:32 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 189C816A41B for ; Tue, 25 Dec 2007 15:08:32 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id AE51B13C4E3 for ; Tue, 25 Dec 2007 15:08:31 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id y2so1725831uge.37 for ; Tue, 25 Dec 2007 07:08:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; bh=PNn9otbkzUqP0hUXZYBgh4SBLVfMp4U609Tla/GSSyo=; b=vAqSjd4iqp1uHeNZLVgzDpipm56mXLm6HXStwPfeznbfxmGA1ojGYROgJhR8q5obnq0bTsR+PGRwAVgTUltVxw0GBo5ZVQdOsAkP6ImgzgSctyanEoIHAk/zMb/mZw5+898UE63106QeV4yTP6Vv8sk9zRrhs1lbV2R5RzNP/lU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:user-agent:mime-version:to:subject:content-type:content-transfer-encoding:from; b=uCNDs3H5TnJCSyuS/TK120pfs/Lfdy3CiYbQTr2PsQo5PRBhSVLW5S5XiLNF5XGnc010AzoPhlKnXI1gYbBYj2BnG7KWHtXUlMbW0sOgwoWaFmz5EJI+8w6TTZNE2TUzLRoMop9HM12IngE49Tg8Dnr2VuvYLU57YM9A1HEhtiI= Received: by 10.67.22.2 with SMTP id z2mr4528318ugi.1.1198593616176; Tue, 25 Dec 2007 06:40:16 -0800 (PST) Received: from ?192.168.0.7? ( [41.241.94.65]) by mx.google.com with ESMTPS id a1sm23645966ugf.78.2007.12.25.06.40.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 25 Dec 2007 06:40:14 -0800 (PST) Message-ID: <477115FE.2070705@gmail.com> Date: Tue, 25 Dec 2007 16:38:54 +0200 User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit From: Gunther Mayer X-Mailman-Approved-At: Tue, 25 Dec 2007 15:24:52 +0000 Subject: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Dec 2007 15:08:32 -0000 Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and ports while I'm at it. However, being an unsupported patchset and all, I have some concerns which I'd like some feedback on well before I embark on this project: 1. Will FreeBSD ever support SSP natively? 2. How good is the kernel patch and how many people out there are using it? 3. Does using the kernel and userland patch mean that I am eternally stuck to compiling from source if I want to keep SSP on all the time (gone are the days of freebsd-update luxury)? 4. What's the story with libssp? Jeremy reckons that it's a lost cause and causes more trouble than it's worth. Yet libssp seems to be the only thing that actually fully integrated in 7.0 Gunther