What about exec-shield by Ingo Molnar? http://people.redhat.com/mingo/exec-shield/ it seems it is less intrusive then other kernel patches and can be enabled/disabled at run-time Stripped from annoucement: The exec-shield feature provides protection against stack, buffer or function pointer overflows, and against other types of exploits that rely on overwriting data structures and/or putting code into those structures. The patch also makes it harder to pass in and execute the so-called 'shell-code' of exploits. The patch works transparently, ie. no application recompilation is necessary. [...] There is a new boot-time kernel command line option called exec-shield=, which has 4 values. Each value represents a different level of security: exec-shield=0 - always-disabled exec-shield=1 - default disabled, except binaries that enable it exec-shield=2 - default enabled, except binaries that disable it exec-shield=3 - always-enabled the current patch defaults to 'exec-shield=2'. The security level can also be changed runtime, by writing the level into /proc: echo 0 > /proc/sys/kernel/exec-shield end; Maybe Debian could default to exec-shield=1 ? O. On Thu, 2003-08-21 at 04:57, Russell Coker wrote: > Who is interested in stack protection? > > I think it would be good to have some experiments of stack protected packages > for Debian. Probably the best way to do this would be to start with > ssh-stack and sysklogd-stack being uploaded to experimental. I don't have > time to do this, but I would like to help test it. > > Also is there any interest in uploading a kernel-image package with the grsec > PaX support built in? -- Ondřej Surý <ondrej@sury.org>
Attachment:
signature.asc
Description: This is a digitally signed message part