Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Secure your system from buffer overflows with propolice..
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message

Joined: 08 Oct 2002
Posts: 340

PostPosted: Sat Nov 29, 2003 5:09 pm    Post subject: Secure your system from buffer overflows with propolice.. Reply with quote

ProPolice is a GCC patch that adds protection code to all C and C++ programs that prevents buffer overflow attacks. It's a great idea, and its been implemented by default in openbsd, but off by default in gentoo. If you run a production server or a computer that's permanently online, you should consider using ProPolice in all your applications.

If you've already got a running system, adding propolice is easy as. It's included in recent versions of the GCC ebuild, so you can follow these instructions.

First, your system has to be up to date (up to date in the stable arch, there's no need to go ~x86).

# emerge sync
# emerge -upvD world

If this tells you there are packages to upgrade, better do it now before you start rebuilding.

# emerge -uvD world
# emerge clean

Make sure things are working. If upgrading packages breaks things, propolice won't help any. Once you've got a working system, download any binary only packages to /usr/portage/distfiles (I had to get the sun java sdk, everything else was built from source). Make sure you've got >=gcc-3.2.3-r3 and >=glibc-2.3.2-r3.

Edit your /etc/make.conf and add -fstack-protector to your CFLAGS and CXXFLAGS.

We probably want a log of the output of this merge, in case something doesn't work. (no reason why it shouldn't, but better safe than sorry.)

# emerge screen
# screen -L

This will log all output to /root/screenlog.0. Now you can rebuild your system. Execute this command:

# emerge gcc && emerge glibc && emerge gcc && emerge -evD world

This will take approximately forever. I know, it's unnecessary to rebuild GCC three times, but it made me feel safer. Since the session was screened, you can hit ^A^D to detatch the window, and it will run happily in the background. run "screen -r" to view the session again, or tail /root/screenlog.0.

there, you've rebuild your system with propolice! better reboot now...

# shutdown -r now

leave -fstack-protector in your cflags, and all future packages you install will have protection built in. hooray.

Now, maybe someone can add a guide to getting the kernel built with propolice? I haven't done it yet, because my server is colocated and if messing with the kernel leads to it not booting, I can't drop in a CD and fix it.
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum