Hi,
I think it's really ashame that the non-executable stack patch doesn't
seem to be making it's way into the kernel as an option.
I think this is a place where Linux could really have an edge on many
other UNIX systems.
At our university these kind of security patches are very very desirable.
We even use some much worse patch for Slowlaris to accompilsh the same
thing (on systems with 5000 shell accounts)
I have been running the patch for a few months now on a pretty loaded
system and I have had no problems whatsoever. I don't understand why
people don't want it. It obviously is not broken, and as the latest patch
has an option to "mark" programs which do need an executable stack
EVERYTHING will run with it. Don't forget that the programs that break
(none have broken for me yet) will usually not be suid anyways so the
ability of marking them executable on the stack fixes any doubts you might
have about the patch.
Please please please wake up and make this patch go into the main stream
kernel. Don't forget that whoever doesn't want it does NOT have to select
the option. I just dread the day where it won't be in the main stream
kerenl and the author of the patch will stop making the patch for
every new kernel release.
And please don't give me the "it doesn't fix all of the problems" or "the
suid programs should be coded better", because in reality it does help
prevent most of the stack overflow exploits and suid programs will never
be coded perfectly.
Someone put some pressure on good 'ole Linus. he's too stubborn :)
I will put the patch on my ftp site in case people missed the post by the
author (Solar Designer <solar@false.com>)
ftp://ftp.rifkin.technion.ac.il/pub/Linux/security/linux-stack.tar.gz
Andi
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Andi Gutmans - Computer Science, Israel Institute of Technology
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Web: http://andi.il.eu.org PGP: finger andi@vipe.technion.ac.il
KeyID 62F5661D fingerprint = 1A 87 A2 10 2F EF EF AB 47 E0 4D 42 F5 B5 49 AD
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBM5Sho8Vv5Zti9WYdAQFzJQQAhY4s86Krsj0K8oTAPzEdzE6eTqeJC6W8
COfdvmLlPsa8c9BU3mTZEOOGmTZQNQHrHwVx+di19HlhmsaTzFA18raV+MSh3nHh
FOniqJcqqj57a71OarDI7ABww2l27FLHhIU1PSUFTHIPlOHervUAxZUXRQPcgo/n
HJTXKBmcCPA=
=hcwe
-----END PGP SIGNATURE-----