As I reall (It's been a while), It even has options to log their use (so
you can 'fix' them)
The patch (when allowing trampolienes) still leaves some room for buffer
exploits, but it's much more difficult.. As I recall I posted to that list
a while back, offering $50 (I think) to anyone who could take a legit
buffer bug and come up with an exploit that worked with trampolines
enabled.. (I think I also asked that the winner also submit an app that
was either commercial or could be found on a linux archive that the patch
broke)
I did not get any submissions.. :) (Good.. Cause I need my $$)
If there is a reason not to include this patch, it isn't because it breaks
anything... Yes, it can give a false sence of security.. But any admin who
is lulled by that prob wont have any security at all.. As a kernel option
I see no reason not to include it.
Please, dont talk negitavly about a patch you have neither used nor
understand!
On Sun, 9 Nov 1997, Aaron Tiensivu wrote:
> > Note that this bug means ANY buffer overflow bug, even on non-setuid apps,
> > is now an entry point for an attacker to crash your machine. Got users on
> > your system who wrote their own CGI apps in C? Ouch. Let's make that
> > non-executable stack patch part of the mainstream kernel.
>
> It would prolly already be in the kernel if it didn't break trampolines.
>