Date: Fri, 28 Dec 2007 14:24:47 +0200 From: Gunther Mayer <gunther.mayer@googlemail.com> To: freebsd-security@freebsd.org Subject: Re: ProPolice/SSP in 7.0 Message-ID: <4774EB0F.90103@googlemail.com> In-Reply-To: <20071227195833.154b41ae@kan.dnsalias.net> References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no> <20071227195833.154b41ae@kan.dnsalias.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Kabaev wrote: > On Thu, 27 Dec 2007 23:52:02 +0100 > Dag-Erling Smørgrav <des@des.no> wrote: > > >> Gunther Mayer <gunther.mayer@googlemail.com> writes: >> >>> I've known about ProPolice/SSP for a while now (from the Gentoo >>> world) and am aware that FreeBSD 7.0 doesn't yet support it though >>> I know of Jeremy Le Hen's patches >>> (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). >>> >> Wrong. FreeBSD 7 has had SSP support since May; the patch you mention >> just turns it on by default. You can probably achieve the same effect >> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf. >> >> DES >> -- >> Dag-Erling Smørgrav - des@des.no >> > > Wrong. > > Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary > changes from Jeremy to enable it by default for 'make buildworld' and > allow switching of SSP on/off for subsequent builds never made it to the > tree. > That's what I thought. I'm not sure if CFLAGS and COPTFLAGS work the same for both ports and buildworld but then again I don't know enough about FreeBSD's build system. Besides, I'm still waiting for some feedback regarding the kernel patch, I'm a bit hesitant to apply it in a production environment. Another thing I'm wondering about, applying the patches and recompiling is all fair and well but what do I do when I need to apply a security patch and there happens to be a merge conflict because I'm now working off a non-standard (patched) set of sources? I just want a hassle free way to add SSP to my systems... Btw, I second the motion of having SSP enabled by default in FreeBSD, other OS's have been doing this for years at a negligible performance overhead. Gunther
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4774EB0F.90103>