Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Feb 2012 21:58:52 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: -fstack-protector-all and -lssp

Solar,

On Sun, Feb 05, 2012 at 13:25 +0400, Solar Designer wrote:
> > 6) -D_FORTIFY_SOURCE=2
> > 
> > For (6) and (4) we need glibc update first.  AFAIU, (5) needs modern
> > glibc too.
> > 
> > As Solar said, we're able to use -fstack-protector somehow
> > without glibc, but not to do double work, just enable it with modern
> > glibc.
> 
> I am not sure which is best - do it now or after glibc update.

Nevertheless, I'll enable -fstack-protector _after_ glibc update.  The
documentation about -fstack-protector, libssp, libssp_nonshared, pie is
not very clear for me.  All compilation and usage samples I found are
about modern glibc.  Enabling -fstack-protector-all by default without
glibc's support of SSP needs additional changes of gcc's spec
definitions (in gcc/gcc.c), which are poorly documented.  I really don't
see any profit of pre-glibc update SSP enabling.  It's better to handle
in parralel with _FORTIFY_SOURCES.

Thanks,

-- 
Vasiliy

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ