I would add also perl, php and python to the list and
would remove other non-server and non-suid client applications,
otherwise better to apply stack protection to everything...
Added.
I've built our gcc RPM with stackprotector enabled some
months ago (latest were gcc-3.3-2mdk(s) for cooker, and gcc-3.2.2-3mdk(s) for 9.1).
IMHO what this could replace is the %serverbuild macro, which
should have -fstack-protector enabled.
I don't know that macro, that's interesting. You could add this idea to the Wiki page.
From benchmark (ssbench) I don't see any appreciable slow
down, but it would be interesting to see some BIG benchmark
for instance to Apache or some mailer, to see the
effective impact. If someone has one or is willing to do
some intensive benchmark...
See this page: <http://www.trl.ibm.com/projects/security/ssp/node5.html#SECTION00051000000000000000>
They state that in worst case it can add 8% performance loss. Worst case being a program that uses massive amounts of function calls, with extremely short function bodies. In practice, it's been shown to not exceed 4% with the Perl benchmark, and be close to 0% for imapd.
--
Aleksander Adamowski
Jabber JID (to nie e-mail!): [EMAIL PROTECTED]
GG#: 274614
ICQ UIN: 19780575 http://olo.office.altkom.com.pl
