Il giorno lun, 23/01/2012 alle 20.08 +0100, Jason A. Donenfeld ha
> So I recently published this: http://blog.zx2c4.com/749 , a local priv
I've seen the news
> It doesn't work on Fedora because their /bin/su is compiled with
> -pie. (They don't compile gpasswd with -pie though, so they're still
Is it because of PIE alone or ASLR? Just curious it doesn't make much
difference to me.
> In any case, what if we made it a policy in Gentoo to compile all SUID
> binaries with PIE, to prevent against any types of future attacks of
> this variety?
Here's the trick: it's hard to decide what to compile PIE and what not
because we generally don't split the build for the two. I guess a good
point here could be made to build _everything_ PIE, but it can be tricky
(at least hotot seem not to work on a PIE system).
It would be also a good idea to resume working on the file-based
capabilities, dropping suid altogether.
The main issue here: it's not just my call to make; toolchain and
council should probably chime in on this.
Diego Elio Pettenò <email@example.com>