ProPolice/SSP in 7.0
Gunther Mayer
gunther.mayer at googlemail.com
Fri Dec 28 04:26:15 PST 2007
Alexander Kabaev wrote:
> On Thu, 27 Dec 2007 23:52:02 +0100
> Dag-Erling Smørgrav <des at des.no> wrote:
>
>
>> Gunther Mayer <gunther.mayer at googlemail.com> writes:
>>
>>> I've known about ProPolice/SSP for a while now (from the Gentoo
>>> world) and am aware that FreeBSD 7.0 doesn't yet support it though
>>> I know of Jeremy Le Hen's patches
>>> (http://tataz.chchile.org/~tataz/FreeBSD/SSP/).
>>>
>> Wrong. FreeBSD 7 has had SSP support since May; the patch you mention
>> just turns it on by default. You can probably achieve the same effect
>> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf.
>>
>> DES
>> --
>> Dag-Erling Smørgrav - des at des.no
>>
>
> Wrong.
>
> Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary
> changes from Jeremy to enable it by default for 'make buildworld' and
> allow switching of SSP on/off for subsequent builds never made it to the
> tree.
>
That's what I thought. I'm not sure if CFLAGS and COPTFLAGS work the
same for both ports and buildworld but then again I don't know enough
about FreeBSD's build system.
Besides, I'm still waiting for some feedback regarding the kernel patch,
I'm a bit hesitant to apply it in a production environment.
Another thing I'm wondering about, applying the patches and recompiling
is all fair and well but what do I do when I need to apply a security
patch and there happens to be a merge conflict because I'm now working
off a non-standard (patched) set of sources? I just want a hassle free
way to add SSP to my systems...
Btw, I second the motion of having SSP enabled by default in FreeBSD,
other OS's have been doing this for years at a negligible performance
overhead.
Gunther
More information about the freebsd-security
mailing list