> ok, this one can be circumvented by ignoring >all< signals. Thus the point
> is the following: if this patch is used, AND the executable disables
> signals, then buffer overflows are less dangerous. [maybe the point is
> that most setuid root executables ignore signals already?]
Well, there exists one suid root program for which signals are vital:
DOSEMU. Most emulation is handled via signals.
> for setuid root processes i would even install a bit more code, just to
> make them more secure: after a signal handler returns, i would turn off
> execution bits again. Maybe there are a few more cases where execution
> bits can be turned off again. >maybe<. The major idea is to check for
> setuid executables at exec() time [we have that branch already].
Though I need to investigate more, at a first glance I would say that
DOSEMU's performance would suffer a lot from this.
Also, makeing signal handling more expensive would also decrease the
performance of DPMI emulation, because switching between flatmodel
protected mode (Linux) and segmented protected mode (DPMI) is done via
signal return. The same technique, btw, is also used by WINE and WABI.
Hans
<lermen@fgan.de>