Ali Bahrami wrote: > I can easily imagine someone changing to the V2 syntax without > realizing that they've also changed their stack protections.
That's a good thing. Very few (if any) should be relying on executable stacks these days, and those few who do ought to be inconvenienced into explicitly asking for that behavior. The current default is backwards. > - It won't affect many objects: As you say, those who use mapfiles > are in a distinct minority, and as v2 mapfiles are something > you have to opt into, those who use them will be a distinct > minority of a distinct minority. In fact, it probably won't > reach anyone we're not already reaching with explicit mapfile > directives today. It's a start. > - You can have more than one mapfile on an ld command line, and > they are each allowed to be either version 1 or 2 independently > of the others. Which should win? I'd say the best answer would be that if any are v2, then you get non-executable stacks by default, and if you want something else, then you must explicitly specify it. A less-good (but still viable) answer would be that if you use multiple, then the default stack executability is set by the last one encountered. > Consider the example in which you have not converted your > mapfiles, or maybe don't even have one, but are also using > one of the standard ones we provide in /usr/lib/ld, which > will certainly move to V2 once the ld support is in place. > Should your stack defaults change because you used a system > provided mapfile? Yes! > I think it would be confusing, and won't make a significant > difference. Executable stacks are bad, but the solution to that > needs to be orthogonal to mapfile syntax. > >> However, when that solution arrives, won't the implication be that >> non-executable stacks become the default way of doing things? > > No, because it would be an option that the user has to select, and > not a default. Isn't that exactly the badness we have today? Users aren't savvy enough to pick the right options in obscure areas like this, and certainly should not need to be. The system should provide _good_ defaults. Providing good defaults definitely means pushing users into good practices, even if it means some pain. Note that we're talking here about folks who are compiling and linking -- and presumably testing -- applications. Those who just run them aren't affected; only developers are, and developers can tolerate new behaviors much more easily, particularly so since (a) it's only on OpenSolaris (everyone's still compiling on S8 or older to support customers), (b) it's telegraphed way in advance, and (c) it's obviously goodness to avoid stack-smashing attacks by default and every other platform that's capable of this has long since done it. I agree that it's logically disjoint from the v2 work itself, but we've got to start somewhere, and I'm not convinced that a better solution is coming "soon." Unless, of course, someone's just going to turn the big switch and default all stacks to non-executable tomorrow. If that's the case, then I see no need to make v2 special. -- James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
