Posted: Sun Jul 04, 2004 12:38 pmPosted: Sun Jul 04, 2004 1:18 pmPosted: Tue Jul 06, 2004 10:38 ami think randustack is safe to use except maybe for java which doesn't like randomization (i don't know if it's the stack or the other randomizations though, but since you have to disable all of PaX on it, it probably doesn't matter anyway). randkstack is a harder one, it depends on your kernel stack utilization (how close tasks get to a kernel stack overflow due to interrupts and whatnot). the default randomization of randkstack can result in an extra 128 bytes used on the kernel stack, whether that will trigger an overflow or not is hard to tell, you're best off by trying it out for some period of time. i'd also add that if these 128 bytes can cause a stack overflow then you're already extremely close to running into one anyway, considering that the usable kernel stack is some 7 kbytes on i386. also randkstack is probably meaningful mostly when you have untrusted local users, against remote attacks it matters little if anything.radek wrote:is it safe to enable it on production systems ?
Posted: Tue Jul 06, 2004 12:49 pm
but i didnt check it thourougly. the hosts are configured heavily to auto "repair" all problems (restarts, reloads, retries, delegations in case of problems) so this can not be treaten as a 'everything works perfect' sign.