Enable gcc's -fstack-protector-all by default?

Darren Tucker dtucker at zip.com.au
Tue Nov 27 07:30:09 EST 2007

Rick Jones wrote:
> Darren Tucker wrote:
>> Can anyone think of a good reason not to enable it if the compiler
>> supports it?  A quick test here shows minimal difference in runtime over
>> a full regress pass (~10sec over 8.5 minutes, and since the machine is
>> not entirely idle that could be experimental error).
> Is this stack protection architecture neutral?

I'm not sure but I suspect that it is given that HPPA was (last time I 
looked) one of the main development platforms for gcc and that the 
documentation doesn't say anything about it being platforms specific. 
That said I haven't actually tried it on a stack-grows-up architecture 
like HPPA (and can't at the moment).

WRT to the cookie entropy source, it uses a /dev/urandom if you have it, 
but failing that it will fall back to a static cookie, so it's weaker 
but not quite worthless if you don't have kernel random support.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list