Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and ports while I'm at it. However, being an unsupported patchset and all, I have some concerns which I'd like some feedback on well before I embark on this project: 1. Will FreeBSD ever support SSP natively? 2. How good is the kernel patch and how many people out there are using it? 3. Does using the kernel and userland patch mean that I am eternally stuck to compiling from source if I want to keep SSP on all the time (gone are the days of freebsd-update luxury)? 4. What's the story with libssp? Jeremy reckons that it's a lost cause and causes more trouble than it's worth. Yet libssp seems to be the only thing that actually fully integrated in 7.0 Gunther
Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, userland and ports while I'm at it. However, being an unsupported patchset and all, I have some concerns which I'd like some feedback on well before I embark on this project: 1. Will FreeBSD ever support SSP natively? 2. How good is the kernel patch and how many people out there are using it? 3. Does using the kernel and userland patch mean that I am eternally stuck to compiling from source if I want to keep SSP on all the time (gone are the days of freebsd-update luxury)? 4. What's the story with libssp? Jeremy reckons that it's a lost cause and causes more trouble than it's worth. Yet libssp seems to be the only thing that actually fully integrated in 7.0 Gunther
> 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)?You could always use another box to generate the builds & patches & point all your servers to the build box in the freebsd-update.conf to fetch patches. _________________________________________________________________ Telly addicts unite! http://www.searchgamesbox.com/tvtown.shtml
Hi Gunther, On Tue, Dec 25, 2007 at 04:38:54PM +0200, Gunther Mayer wrote:> Hi there, > > I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, > binary updates via freebsd-update etc.) but lots of ports (apache, > postgresql, diablo-jdk etc.) and would like to use stack smashing protection > in order to harden my boxes and avoid many potential exploits. > > I've known about ProPolice/SSP for a while now (from the Gentoo world) and > am aware that FreeBSD 7.0 doesn't yet support it though I know of Jeremy Le > Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/). Some time > after 7.0 is released I'd like to upgrade and apply SSP throughout kernel, > userland and ports while I'm at it. However, being an unsupported patchset > and all, I have some concerns which I'd like some feedback on well before I > embark on this project: > > 1. Will FreeBSD ever support SSP natively? > 2. How good is the kernel patch and how many people out there are > using it?I can't tell myself about the quality of kernel bits, but at least I can state that I'm sure in case of a stack-based buffer overflow, the kernel will crash instead of being exploited.> 3. Does using the kernel and userland patch mean that I am eternally > stuck to compiling from source if I want to keep SSP on all the > time (gone are the days of freebsd-update luxury)? > 4. What's the story with libssp? Jeremy reckons that it's a lost > cause and causes more trouble than it's worth. Yet libssp seems to > be the only thing that actually fully integrated in 7.0GNU libssp is provided in FreeBSD 7.0 but it is not used though because libc already provides the required symbols (lib/libc/sys/stack_protector.c). I think GNU libssp is useful only when compiling something without libc support (-nodefaultlibs). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >