On Monday, September 07, 2015 7:02:45 PM [email protected] wrote: > Fernando Rodriguez <[email protected]> wrote: > > > On Sunday, September 06, 2015 1:15:17 PM walt wrote: > > > https://wiki.gentoo.org/wiki/Hardened_Gentoo > > > > > > That wiki page is very seductive. It makes me want to drop > > > everything and select a hardened profile and re-emerge everything > > > from scratch. > > > > > > But I have a feeling I'd soon be in big trouble if I did. Is this > > > something that only gentoo devs should be messing with, or is this > > > a project that a typical gentoo end-user might hope to accomplish > > > without frequent suicidal thoughts? > > > > There's different opinions on it, but mine is that while it adds some > > security it's so little that it's not worth it in most cases. It > > provides more security on a binary distro because everyone has the > > same binaries and an attacker don't need to guess where a specific > > piece of code may get loaded but by running a source distro your > > address space is already pretty unique. The only case where it > > provides some security is when an attacker is trying to guess an > > address for an exploit, making the wrong guess will likely crash the > > process and it will be reloaded on a new address. Do you have > > valuable enough data for an attacker to go through that hassle in > > order to get it? If you do then you should use a hardened profile, > > but physical security and disk encryption is more important because > > if it's worth that much it'll be easier to just rob you. > > I'm not a security expert, so I'm maybe wrong here, But I think there > are more security functions on gentoo-hardened than just address space > randomization. There are also things like stack smash protection and > some other restrictions that make it harder to exploit security holes.
AFAIU about everything else you get is better defaults, nothing you can't do yourself through CFLAGS, etc. SSP for example is enabled by default on recent GCC versions as mentioned by Michael. It will make some exploits harder but IMO not enough to be worth it for the average user. -- Fernando Rodriguez
