Re: SSP for Debian unstable. was Re: security enhanced debian branch?

[Steve Kemp <skx@debian.org>]

On Sun, Jan 04, 2004 at 11:04:16PM +1100, Russell Coker wrote:

> OK.  So I guess that programs which aren't important for security should be 
> compiled without SSP then.

  I guess so if you do not wish things to be depleted.  Perhaps looking
 at

> Is the default of your gcc packages with SSP to enable or disable it?  How do 
> I force the other behaviour?

  I believe the default is to have it disabled.  I know that I've been
 explicitly enabling it via a wrapper in all my builds.

  The two relevent flags are:

  	-fstack-protector
	-fno-stack-protector

  The test code at the following URL is a quick means of testing this:

  	http://shellcode.org/Cat/test.html

> Depleted entropy is a concern.  Also with SE Linux everything is disabled by 
> default and you have to enable the operations that are desired.

  Disabling services etc, and capabilities does seem sensible and is
 best practise - but it seems to me that /dev/u?random is a facility 
 in a different class.

Steve
--