Re: [announce] [patch] NX (No eXecute) support for x86, 2.6.7-rc2-bk2

[Ulrich Drepper]

Linus Torvalds wrote:

> If things are really that good, why are we even worrying about this?
> 
> It sounds like we should just have NX on by default even for executables
> that don't have any NX info records,

This is possible in one of the modes the FC kernel supports but not a
good default.

While most of the code we ship has no problems, 3rd party code is a
completely different story.  Most of the time this code is not as
cleanly written as the (cleaned-up) code we ship.  If anything, you can
announce your intention to change the default in a few years and urge
people to clean up their code.  If you want the maximum protection now
go with Ingo's exec-shield patch and the /proc/sys/kernel/exec-shield
entry which can be set to 2 to enable the strict mode.  That's certainly
the best solution for edge servers but not for application servers
running lots of dubious 3rd party code.

-- 
â Ulrich Drepper â Red Hat, Inc. â 444 Castro St â Mountain View, CA â
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/