On Wed, 3 Apr 2013, Miloslav Trmač wrote:
On Wed, Apr 3, 2013 at 12:18 AM, Adam Williamson <awilliam@xxxxxxxxxx> wrote:
On 31/03/13 08:11 AM, Richard W.M. Jones wrote:
However prelink does reduce the effectiveness of ASLR (a bit). See
http://lwn.net/Articles/341440/ and follow-up conversation.
Ignoring the silly stuff, it does seem that this is Yet Another Reason Prelink Is Bad
Is it? The linked comment says the opposite: prelink might interfere with ASLR, but for most programs it doesn't make a difference.
Even the latter discussion about local attackers doesn't really apply when any PIE executable automatically means prelink is ignored
both for the executable and for any used shared libraries, as Jakub said.
To me, prelink is still evil for breaking FIPS. I've requested a few times
that prelink plays nicer with FIPS mode, like running prelink -ua during
bootup when FIPS mode is on. And running prelink -ua when the prelink
package is uninstalled. Neither trivial solutions are implemented in
the package.
The only argument in favour of prelink is speed. People selecting FIPS
have clearly made the decision to favour extra security over speed.
I'm strongly in favour of getting rid of it completely, and letting
Moore's Law do its job.
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
