tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: tcpdump: drop privileges by default?

Christos Zoulas wrote:
In article 
Elad Efrat  <> wrote:
On Wed, Sep 9, 2009 at 3:59 PM, Thor Lancelot Simon<> 

I think [tcpdump], and a lot of similar things, should be paxctl +A +M at
install time.  What do you think?
I agree but think we should probably do that in -current long enough
before a release happens so it gets thoroughly tested. I know our ASLR
doesn't work too well with some programs yet.

To take advantage of ASLR, you should build PIE binaries. Otherwise only
the stack segment and the shared libraries get randomized.

I agree, but I was referring to issues of ASLR breaking some programs,
like tar (PR/40575). I didn't test to see if this goes away when tar is
built as a PIE. :)

The issues
with making PIE the default are performance and stability.

Performance is something we can let people "give up on" (even more so
once we have numbers) -- what stability issues are you referring to
though? (what I mention above?)



Home | Main Index | Thread Index | Old Index