Enable gcc's -fstack-protector-all by default?
dtucker at zip.com.au
Tue Nov 27 07:30:09 EST 2007
Rick Jones wrote:
> Darren Tucker wrote:
>> Can anyone think of a good reason not to enable it if the compiler
>> supports it? A quick test here shows minimal difference in runtime over
>> a full regress pass (~10sec over 8.5 minutes, and since the machine is
>> not entirely idle that could be experimental error).
> Is this stack protection architecture neutral?
I'm not sure but I suspect that it is given that HPPA was (last time I
looked) one of the main development platforms for gcc and that the
documentation doesn't say anything about it being platforms specific.
That said I haven't actually tried it on a stack-grows-up architecture
like HPPA (and can't at the moment).
WRT to the cookie entropy source, it uses a /dev/urandom if you have it,
but failing that it will fall back to a static cookie, so it's weaker
but not quite worthless if you don't have kernel random support.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev