Joined: 08 Oct 2002
|Posted: Sat Nov 29, 2003 5:09 pm Post subject: Secure your system from buffer overflows with propolice..
|ProPolice is a GCC patch that adds protection code to all C and C++ programs that prevents buffer overflow attacks. It's a great idea, and its been implemented by default in openbsd, but off by default in gentoo. If you run a production server or a computer that's permanently online, you should consider using ProPolice in all your applications.
If you've already got a running system, adding propolice is easy as. It's included in recent versions of the GCC ebuild, so you can follow these instructions.
First, your system has to be up to date (up to date in the stable arch, there's no need to go ~x86).
|# emerge sync
# emerge -upvD world
If this tells you there are packages to upgrade, better do it now before you start rebuilding.
|# emerge -uvD world
# emerge clean
Make sure things are working. If upgrading packages breaks things, propolice won't help any. Once you've got a working system, download any binary only packages to /usr/portage/distfiles (I had to get the sun java sdk, everything else was built from source). Make sure you've got >=gcc-3.2.3-r3 and >=glibc-2.3.2-r3.
Edit your /etc/make.conf and add -fstack-protector to your CFLAGS and CXXFLAGS.
We probably want a log of the output of this merge, in case something doesn't work. (no reason why it shouldn't, but better safe than sorry.)
|# emerge screen
# screen -L
This will log all output to /root/screenlog.0. Now you can rebuild your system. Execute this command:
|# emerge gcc && emerge glibc && emerge gcc && emerge -evD world |
This will take approximately forever. I know, it's unnecessary to rebuild GCC three times, but it made me feel safer. Since the session was screened, you can hit ^A^D to detatch the window, and it will run happily in the background. run "screen -r" to view the session again, or tail /root/screenlog.0.
there, you've rebuild your system with propolice! better reboot now...
leave -fstack-protector in your cflags, and all future packages you install will have protection built in. hooray.
Now, maybe someone can add a guide to getting the kernel built with propolice? I haven't done it yet, because my server is colocated and if messing with the kernel leads to it not booting, I can't drop in a CD and fix it.
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide