On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote: > On Sep 23, Raphael Hertzog <hert...@debian.org> wrote: > > > Two hardening features are not enabled by default: PIE and bindnow. > Why?
I guess because they have more impact on performance than the others. > > If your package supports PIE, you might want to consider enabling it. > > If the binaries are long running processes like daemons, and as such > > the startup performance penalty of “bindnow” is acceptable, it might > > be a good idea to enable it too but only if relro is in effect, > > although another option might be to just define LD_BIND_NOW=1 on the > > daemon's environment (for example in the init.d script), in which case > > the sysadmin can always disable it, something that's not possible with > > the build option. > I believe that developers would benefit from more detailed > recommendations. > In other words, just say clearly who should enable these features (and > why). It has already been discussed here, and there are already pages describing it and people commited to help in this goal being reach for the next release. http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags http://anonscm.debian.org/viewvc/secure-testing/hardening/ bert. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110923114531.GC4401@localhost
