[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security on Dial-up Systems



On Fri, 1 Aug 1997, Nir Soffer wrote:

> Just a small word about te non-executable stack patch:
> 
> B.) Some applications depend on an executionable stack (though I've never
> encountered one myself, I've heard that trampoline functions in GCC use
> the stack executionably (New word! :)).

The patch adds a flag to ELF and aout binaries (it adds a definition of a
flag, that is). When this flag is triggered, applications can happily
execute code in the stack.
Assumption is that software that needs to execute code in the stack, needs
root permissions to run and also is exploitable - shouldn't be ran by
users.

I've also heard that gcc executes code in the stack (though people were
not quite clear as to why or exactly when), but so far I've encountered no
problems with gcc after applying the patch (and I've compiled my kernel
three times since).

The patch itself comes with a source code that requires a trampoline to
compile, by the way. Anyone intrested?

> As for the original 'poster' - Do what I did for my security, disabled
> _all_ the services I didn't need. That includes daytime, chargen, and all
> that useless crap. Disabled identd, disabled fingerd, disabled ftpd,
> disabled rshd and rlogind, telnetd however, I kept.

Disable identd? identd is used, among others, to allow irc access. I've
installed here in.mident which is a cute ident daemon that is highly
configurable.

                                                   Nimrod


Follow-Ups: References: