Improving security

VikM · 2007-11-10 17:31:29

Hello,

I frequently use abs and makepkg mainly because I have -fstack-protector-all in CFLAGS/CXXFLAGS. I'm doing this for years, and more than 99% of packages have no problem with this flag. Actually I can't remeber any problems at all, but I don't compile everything.
Could be -fstack-protector-all, or at least -fstack-protector, a default compiler flag? Maybe some other easy steps like LDFLAGS including "-z relro -z now -z noexecstack"? Maybe others compiler/linker flags, Fedora at least seems to make a good job using them.

whargoul · 2007-11-10 23:18:20

Exactly how will that improve security?

hussam · 2007-11-10 23:41:57

Maybe this option should be used for server applications only? squid/ssd/httpd etc..?
I don't think there is much use for it in applications such as gnome/kde/xfce or even xorg and the kernel. But it is definitely a good addition for server applications. Maybe someone with knowledge of compilers can give a better opinion.

VikM · 2007-11-11 17:27:12

Adds some protection for buffer overflows. Even unknown ones.
Here http://www.research.ibm.com/trl/projects/security/ssp started the "GCC extension for protecting applications from stack-smashing attacks", you can find information about it. Now it is in the official gcc for some releases. I'm not sure it has to be used everywhere, but it doesn't hurt. I use this on servers for network services and related (ssh, mail, http, php). An option to PKGBUILD to add package-specific options to the CFLAGS from /etc/makepkg.conf and precompiled packages with the stack protector would be great (imho, of course). At least for the packages commonly used on servers.

Last edited by VikM (2007-11-11 17:27:54)

Arch Linux

#1 2007-11-10 17:31:29

Improving security

#2 2007-11-10 23:18:20

Re: Improving security

#3 2007-11-10 23:41:57

Re: Improving security

#4 2007-11-11 17:27:12

Re: Improving security

Board footer