Non-executable stack

[Patrick Bihan-Faou]

db wrote:
> On Thursday 27 October 2005 19:58, you wrote:
>   
>>> Ok thanks, but I was looking for a kernel level patch. Btw which ports
>>> will break?
>>>       
>> I did not keep a list, but as far as I remember, the 'pure-pw' binary
>> from pure-ftpd was the last thing that failed. Because it was not
>> visible in first place (the port builded fine), I decided the risk of
>> breaking things without noticing it was not worth it.
>>     
>
> Ok, I was planing on using pure-ftpd.
>
>   
>> I don't mean that it's a bad thing, but it will cost you some time to
>> find the bugs, report the bugs and get them fixed. And if you are
>> willing to use it in a production environment, you have to fully test
>> the software eacht time you are upgrading to be sure things will not
>> break. It's also not officially supported as far as I know.
>>     
>
> I'm not a kernel hacker and only have access to ia32, so I can't help develop 
> or test it, but I hope someone with the right skills and means also think 
> it's about time we give the admins and users the option of a non-executable 
> stack (and heap). If I can help in any way I will. Maybe my next computer 
> will be an AMD64, I think it must be the cheapest of the platforms with 
> hardware support for execute and read permission distinction on memory?
>   

We are using the stack protection patches for GCC in production servers 
running FreeBSD 4.11 and everything runs well. We are using a fairly 
large number of ports (from samba to php to postgresql, etc.) and none 
have shown issues with this feature.

Note that since it is a compiler and library patch, the kernel also 
benefits from it. I would say that if a port misbehaves with this, then 
it is more likely a problem with the port.

I can't comment on how it work in FreeBSD 5 or 6, but in FreeBSD 4.11 it 
rocks.

Patrick.