Re: PaX on Debian
-----BEGIN PGP SIGNED MESSAGE-----
Russell Coker wrote:
| On Mon, 26 Jul 2004 02:57, John Richard Moser <email@example.com>
|>I'm interested in discussing the viability of PaX on Debian. I'd like
|>to discuss the changes to the base system that would be made, the costs
|>in terms of overhead and compatibility, the gains in terms of security,
|>and the mutability (elimination) of the costs.
| Before we can even start thinking about PaX on Debian we need to find a
| maintainer for the kernel patch who will package new versions of the
| which apply to the Debian kernel source tree. We have had a few
| about this in the past which have had no positive result because
| volunteered to do the kernel coding work.
Are you talking PaX or grsecurity? PaX is significantly less invasive
than grsecurity. There will still be issues, of course.
Where would I see debian's 2.6.7 source tree? I'm not a deb user,
remember, so I'll need a tarball or something.
|>A PaX protected base system would be best compiled ET_DYN, which can be
|>done by using modified spec files or a specially patched gcc to make
|>pies-by-default binaries. Certain things don't compile this way; and
|>thus would need this functionality disabled (modified spec, -fno-pic
|>-nopie). This will be discussed in greater detail later.
| Debian does not use spec files, spec files are for RPM based
| It would have to be a modification to debian/rules in all the
packages, or a
| modification to gcc and/or dpkg-buildpackage.
No, gcc spec files, that tell gcc how to behave. This was used on
gentoo to mess with gcc's default behavior for a while.
try the command:
Also try looking at:
You'd need to fudge that file I believe to alter gcc's default behavior.
~ This was done by the Hardened Gentoo project, but was dropped in favor
of a gcc patch. Either way, it's been done before.
|>A PaX protected base would also benefit from Stack Smash Protection,
|>which can be done via the gcc patch ProPolice. This imposes minimal
|>overhead, which will be discussed in greater detail later. It overlaps
|>and extends many of the protections PaX offers, but catches earlier on;
|>and is thus a good system to pair with PaX.
| We have recently discussed this on at least one of the lists you
| The end result of the discussion is that GCC is getting another SSP type
| technology known as "mudflap". Mudflap depends on some major new
| GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the
| Debian GCC people don't want to merge in other patches which have no
| chance of being included upstream.
Then don't use ProPolice/SSP for now.
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----