-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Russell Coker wrote: | On Mon, 26 Jul 2004 02:57, John Richard Moser <[EMAIL PROTECTED]> wrote: | |>I'm interested in discussing the viability of PaX on Debian. I'd like |>to discuss the changes to the base system that would be made, the costs |>in terms of overhead and compatibility, the gains in terms of security, |>and the mutability (elimination) of the costs. | | | Before we can even start thinking about PaX on Debian we need to find a | maintainer for the kernel patch who will package new versions of the patch | which apply to the Debian kernel source tree. We have had a few flame-wars | about this in the past which have had no positive result because no-one has | volunteered to do the kernel coding work. | |
Are you talking PaX or grsecurity? PaX is significantly less invasive than grsecurity. There will still be issues, of course.
Where would I see debian's 2.6.7 source tree? I'm not a deb user, remember, so I'll need a tarball or something.
|>A PaX protected base system would be best compiled ET_DYN, which can be |>done by using modified spec files or a specially patched gcc to make |>pies-by-default binaries. Certain things don't compile this way; and |>thus would need this functionality disabled (modified spec, -fno-pic |>-nopie). This will be discussed in greater detail later. | | | Debian does not use spec files, spec files are for RPM based distributions. | It would have to be a modification to debian/rules in all the packages, or a | modification to gcc and/or dpkg-buildpackage. |
No, gcc spec files, that tell gcc how to behave. This was used on gentoo to mess with gcc's default behavior for a while.
try the command:
gcc -dumpspecs
Also try looking at:
/usr/lib/gcc-lib/<Target>/<version>/specs
You'd need to fudge that file I believe to alter gcc's default behavior. ~ This was done by the Hardened Gentoo project, but was dropped in favor of a gcc patch. Either way, it's been done before.
| |>A PaX protected base would also benefit from Stack Smash Protection, |>which can be done via the gcc patch ProPolice. This imposes minimal |>overhead, which will be discussed in greater detail later. It overlaps |>and extends many of the protections PaX offers, but catches earlier on; |>and is thus a good system to pair with PaX. | | | We have recently discussed this on at least one of the lists you posted to. | The end result of the discussion is that GCC is getting another SSP type | technology known as "mudflap". Mudflap depends on some major new features of | GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the | Debian GCC people don't want to merge in other patches which have no apparent | chance of being included upstream. |
Then don't use ProPolice/SSP for now.
- -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBH75hDd4aOud5P8RAvATAJ4p+Kfut/en14Dwenv7UDez86O2KgCeIJcG kP7jnKii7eDGHwiO39MpJjI= =P617 -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
