From owner-freebsd-security@FreeBSD.ORG Fri Dec 28 12:26:15 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B69516A417 for ; Fri, 28 Dec 2007 12:26:15 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id 2289B13C4E5 for ; Fri, 28 Dec 2007 12:26:14 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id y2so2322467uge.37 for ; Fri, 28 Dec 2007 04:26:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=BQBesdrZHcodCZmaNcZJOWUXWLteW7a0ztm5ynQSSak=; b=Mmw25I6dHvjX0RMtHVxsYTT+oVWSVGkhbXsOppWAA8ZTTBM64W+vBQVGs9I32KOKv5W5AXEOF/gr5/Q36V8FnE0SJe76TMoXNO/Xi45PgBqqJhrBmaVx2HqouzpHo/ZkvVt6OAjQxS9aVfZ6WDmw0eaCI09cJHmRloLM7rg4j3I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=MpZQcDPc8JmsmoltW2EnuMASkdg07NNYUQOpDu7BZ2Kzf9e+fyEMLRgnQWbwTfI5sVKYtUO//BCG6y83KmCZpOarlB74Jj7QWULiSQrEmUdzvhkQsuvB46s/Ap57hEecipRqozqrB4R29TkG4Jk0c1jbZUYc31o58557DisdfIw= Received: by 10.66.255.7 with SMTP id c7mr8044049ugi.43.1198844766695; Fri, 28 Dec 2007 04:26:06 -0800 (PST) Received: from ?192.168.0.7? ( [41.241.118.229]) by mx.google.com with ESMTPS id 28sm10666911ugc.21.2007.12.28.04.26.03 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 28 Dec 2007 04:26:05 -0800 (PST) Message-ID: <4774EB0F.90103@googlemail.com> Date: Fri, 28 Dec 2007 14:24:47 +0200 From: Gunther Mayer User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net> In-Reply-To: <20071227195833.154b41ae@kan.dnsalias.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 28 Dec 2007 12:31:00 +0000 Subject: Re: ProPolice/SSP in 7.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 12:26:15 -0000 Alexander Kabaev wrote: > On Thu, 27 Dec 2007 23:52:02 +0100 > Dag-Erling Smørgrav wrote: > > >> Gunther Mayer writes: >> >>> I've known about ProPolice/SSP for a while now (from the Gentoo >>> world) and am aware that FreeBSD 7.0 doesn't yet support it though >>> I know of Jeremy Le Hen's patches >>> (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). >>> >> Wrong. FreeBSD 7 has had SSP support since May; the patch you mention >> just turns it on by default. You can probably achieve the same effect >> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. >> >> DES >> -- >> Dag-Erling Smørgrav - des@des.no >> > > Wrong. > > Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary > changes from Jeremy to enable it by default for 'make buildworld' and > allow switching of SSP on/off for subsequent builds never made it to the > tree. > That's what I thought. I'm not sure if CFLAGS and COPTFLAGS work the same for both ports and buildworld but then again I don't know enough about FreeBSD's build system. Besides, I'm still waiting for some feedback regarding the kernel patch, I'm a bit hesitant to apply it in a production environment. Another thing I'm wondering about, applying the patches and recompiling is all fair and well but what do I do when I need to apply a security patch and there happens to be a merge conflict because I'm now working off a non-standard (patched) set of sources? I just want a hassle free way to add SSP to my systems... Btw, I second the motion of having SSP enabled by default in FreeBSD, other OS's have been doing this for years at a negligible performance overhead. Gunther