2012/1/23 Mike Gilbert <flop...@gentoo.org>: > On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld <ja...@zx2c4.com> wrote: >> To check for PIE, >> >> readelf -h /bin/su | grep Type >> >> If it says EXEC, no PIE. If it says DYN, yes PIE. > > I'm asking "how does one enable PIE/ASLR", not how to check if it is > enabled already.
- PIE should be -fPIC also for the executable, not only for the .so (has a performance impact) - ASLR you need "hardened" use for gcc, and the toolchain, pax kernel help too xattr could be used to reduce the number of suid binaries, but need support in portage right?
