From Dagmar: ] Hey while I'm sitting here staring at it, here's something ] I think is pretty useful. It's a late descendant from all ] those non-executeable stack patches for gcc so you can ] build somewhat hardened binaries if you're not chronically ] addicted to rpms. This one seems to be the most reasonable ] to work with that I've seen as well. It doesn't require ] you to keep older copies of your compiler around, since you ] tell it to build protected binaries with a new -f argument ] (usually passed through CFLAGS). Thoughts on RPM.. If you consider youself a serious admin, on any system that uses RPMs, and you can't work with SRPMs to the extent of being able to drop in patches and whatnot.. You are missing a key skillset. RPM foo is uber useful. I keep the SRPMs handy for all the key software I'm using, so I can drop in quick patches, do quick rebuilds that are ready to push out to multiple machines, and make custom versions of stuff with ease.. I do like being able to lean on the vendor for quick updates, but I also like the ability to tweak/extend what they give me, and be able to carry along those changes. RPM is actually pretty good for this.. Its easy to drop in patches, rebuild, and push out new packages fast. My own personal rule is that if it sits on a port that any hostile networks (internet) can get at, I'm prepared to drop in patches and rebuild it at will.. There is a link on this to a page with patches and instructions for how to apply this to the RH62 RPMS. Its a simple process. You can adapt it to 7 or 8.. You can script it. Make it something you can kickstart. Etc. I've done similar. That being said.. This is cool. I like this. I'm going to check it out. I'm also glad to see Dagmar posting stuff.. :) GCC extension for protecting applications from stack-smashing attacks |