#!/usr/local/bin/bash # # stack-protection # script that helps set up IBM stack protection # # more about this here: # http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html # # Zoidial, Inc. # Eric Thern eric@zoidial.com # March 2002 # # important!! # these users must be added in 4.5, if you upgraded, or else this will fail on make installworld # # these are in /usr/src/etc/master.passwd # also add the proper grou from /usr/src/etc/group to /etc/group # # use 'vipw' and add these two lines: # # smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin # mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/sbin/nologin # # add these groups to /etc/group: # smmsp:*:25: # mailnull:*:26: # # for freebsd 4.4, uncomment the 4.4 labelled lines (2 of them) # for freebsd 4.5, uncommant the 4.5 labelled lines (2 of them) -- default # echo " ********************************* ********************************* STARTING FSTACK-PROTECTION SCRIPT ********************************* ********************************* " cd /usr/src make clean;make cleandepend;make cleandir echo " ********************************* ********************************* WGET THE FSTACK PATCH ********************************* ********************************* " # freebsd 4.4 #wget http://www.trl.ibm.com/projects/security/ssp/freebsd44/protector4.4-1.patch # freebsd 4.5 wget ftp://gcc.nmt.ne.jp/pub/FreeBSD/patches/StackProtection45R.diff echo " ********************************* ********************************* REMOVING SOME EXTRA FILES ********************************* ********************************* " rm -Rf /usr/src/sys/libkern/stack_smash_handler.c rm -Rf /usr/src/contrib/gcc/protector.c rm -Rf /usr/src/contrib/gcc/protector.h echo " ********************************* ********************************* APPLY THE PATCH ********************************* ********************************* " cd /usr # freebsd 4.4 #patch -p0 < src/protector4.4-1.patch # freebsd 4.5 patch -p0 < src/StackProtection45R.diff echo " ********************************* ********************************* SETTING FLAGS IN /etc/make.conf ********************************* ********************************* " cp /etc/make.conf /etc/make.conf-bak sed -e "/CFLAGS= -O -pipe -fstack-protector/d" /etc/make.conf > /etc/make.conf.rplzz cat /etc/make.conf.rplzz > /etc/make.conf && rm /etc/make.conf.rplzz sed -e "/COPTFLAGS= -O -pipe -fstack-protector/d" /etc/make.conf > /etc/make.conf.rplzz cat /etc/make.conf.rplzz > /etc/make.conf && rm /etc/make.conf.rplzz echo " ********************************* ********************************* COMPILE /usr/src/gnu/lib/libgcc ********************************* ********************************* " cd /usr/src/gnu/lib/libgcc make clean && make depend && make all install echo " ********************************* ********************************* COMPILE /usr/src/gnu/usr.bin/cc ********************************* ********************************* " cd /usr/src/gnu/usr.bin/cc make clean && make depend && make all install echo " ********************************* ********************************* SET FLAGS BACK IN /etc/make.conf ********************************* ********************************* " echo "CFLAGS= -O -pipe -fstack-protector" >> /etc/make.conf echo "COPTFLAGS= -O -pipe -fstack-protector" >> /etc/make.conf # # had problems with this file not being included in newer 4.5 -- copy it over to make sure # cp /usr/src/include/langinfo.h /usr/src/lib/libc/include/langinfo.h echo " ******************************** ******************************** MAKE DEPEND ON /usr/src/lib/libc ******************************** ******************************** " cd /usr/src/lib/libc make depend cd /usr/src echo " ******************************** ******************************** MAKE BUILDWORLD ******************************** ******************************** " make buildworld echo " ******************************** ******************************** MAKE INSTALLWORLD ******************************** ******************************** " make installworld echo " ******************************** ******************************** MAKE BUILDKERNEL ******************************** ******************************** " make buildkernel echo " ******************************** ******************************** MAKE INSTALLKERNEL ******************************** ******************************** " make installkernel echo " ******************** System fully set up! ******************** "