On Sun, 27 Feb 2011 21:13:00 +0100, Kevin Fenzi wrote:
[...]
Anyone have objections to adding a prelink call to the end of the
live
base compose?
To run prelink at the compose time is a great idea.
BTW for the full picture - if you run non-prelinked binaries at least
their libraries get randomized memory location. With prelinked libraries they
are no longer randomized. This is a better target if some exploit exists.
While normal systems have each their own prelinked addresses which the
attacker usually cannot guess the distributed prelinked LiveCD will have
addresses publically known to everyone.
OTOH exploit-sensitive applications are already PIE (Position Independent
Executable; gcc -fPIE -pie) and such apps have the libraries randomized on
each run even despite they may be already prelinked.
Or should we just disable it entirely?
non-prelinked binaries have needless performance and runtime memory costs.
Thanks,
Jan