Re: SSP for Debian unstable. was Re: security enhanced debian branch?
On Sun, Jan 04, 2004 at 11:04:16PM +1100, Russell Coker wrote:
> OK. So I guess that programs which aren't important for security should be
> compiled without SSP then.
I guess so if you do not wish things to be depleted. Perhaps looking
at
> Is the default of your gcc packages with SSP to enable or disable it? How do
> I force the other behaviour?
I believe the default is to have it disabled. I know that I've been
explicitly enabling it via a wrapper in all my builds.
The two relevent flags are:
-fstack-protector
-fno-stack-protector
The test code at the following URL is a quick means of testing this:
http://shellcode.org/Cat/test.html
> Depleted entropy is a concern. Also with SE Linux everything is disabled by
> default and you have to enable the operations that are desired.
Disabling services etc, and capabilities does seem sensible and is
best practise - but it seems to me that /dev/u?random is a facility
in a different class.
Steve
--
Reply to: