On Tue, Aug 26, 2003 at 02:01:48PM -0300, Alex wrote: > Hello, > > Does anybody recommend using this? > > How to build FreeBSD with propolice protection > http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html
If you have a server carrying particularly valuable or sensitive data, then, yes the propolice patches can add an extra layer of security. However, there are certain otherwise harmless software constructs that involve writing to the stack that this software will cause to fail. Certain applications simply will not work. For an ordinary desktop or home machine it's probably overkill, and paying attention to security announcements and keeping your machine properly up to date and not running extraneous daemons and following all of the other standard good security advice should be sufficient. > After implementing it, how to make sure it's working correctly? Write a small C program that will let you overflow an array and trample on the stack. By convention, the usage is to overflow the array with a long string of A characters. Analyse the core dump thus obtained. If the EIP has been overwritten with the value 0x41414141 then the patches definitely aren't working. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature