Re: ProPolice/SSP in 7.0

Alexander Kabaev wrote:
> On Thu, 27 Dec 2007 23:52:02 +0100
> Dag-Erling Sm繪rgrav <des@des.no> wrote:
>
>   
>> Gunther Mayer <gunther.mayer@googlemail.com> writes:
>>     
>>> I've known about ProPolice/SSP for a while now (from the Gentoo
>>> world) and am aware that FreeBSD 7.0 doesn't yet support it though
>>> I know of Jeremy Le Hen's patches
>>> (http://tataz.chchile.org/~tataz/FreeBSD/SSP/).
>>>       
>> Wrong.  FreeBSD 7 has had SSP support since May; the patch you mention
>> just turns it on by default.  You can probably achieve the same effect
>> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf.
>>
>> DES
>> -- 
>> Dag-Erling Sm繪rgrav - des@des.no
>>     
>
>   Wrong.
>
>   Actually, FreeBSD 7 _compiler_ has SSP support, but a lot of necessary
> changes from Jeremy to enable it by default for 'make buildworld' and
> allow switching of SSP on/off for subsequent builds never made it to the
> tree.
>   
That's what I thought. I'm not sure if CFLAGS and COPTFLAGS work the 
same for both ports and buildworld but then again I don't know enough 
about FreeBSD's build system.

Besides, I'm still waiting for some feedback regarding the kernel patch, 
I'm a bit hesitant to apply it in a production environment.

Another thing I'm wondering about, applying the patches and recompiling 
is all fair and well but what do I do when I need to apply a security 
patch and there happens to be a merge conflict because I'm now working 
off a non-standard (patched) set of sources? I just want a hassle free 
way to add SSP to my systems...

Btw, I second the motion of having SSP enabled by default in FreeBSD, 
other OS's have been doing this for years at a negligible performance 
overhead.

Gunther
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"