diff options
| author | Louis Burda <quent.burda@gmail.com> | 2021-05-17 19:09:18 +0200 |
|---|---|---|
| committer | Louis Burda <quent.burda@gmail.com> | 2021-05-17 19:09:18 +0200 |
| commit | 22211a1267f136c4b55bc2298bc9de19d5973f9f (patch) | |
| tree | 7319e36071b3b1ae85089ba9e3ec170fc7e13733 | |
| parent | b064de1ea6aa1f4692ca77af46d5d1121ee7aaa8 (diff) | |
| download | enowars5-service-stldoctor-22211a1267f136c4b55bc2298bc9de19d5973f9f.tar.gz enowars5-service-stldoctor-22211a1267f136c4b55bc2298bc9de19d5973f9f.zip | |
amend documentation
| -rw-r--r-- | documentation/README.md | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/documentation/README.md b/documentation/README.md index db2f5f2..ecfbdd4 100644 --- a/documentation/README.md +++ b/documentation/README.md @@ -14,9 +14,9 @@ and generate reports that include information on the files.. Uploaded models and generated reports are stored in a directory structure. Unregistered users have their files saved in a collective directory, which -allows users to query for public models by using their model name. -Registered users have their uploads saved to a private directory. -This (theoretically) prevents other users from accessing their files. +allows users to query for public models via model name. Registered users have +their uploads saved to a private directory. This (theoretically) prevents other +users from accessing their files. The service is hosted with socat, one process per client. @@ -31,16 +31,16 @@ which can be used to cause havoc on vulnboxes and make services go mumble. 1. Enable additional security features via flags during compilation: - `CFLAGS="-fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2"` + `CFLAGS = "-fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2"` - `-fPIE`: enable position independent executable section - `-fstack-protector-strong`: enable stack canaries in functions with local variables that are prone to overflow - `-D_FORTIFY_SOURCE=2`: gcc buffer overflow detection - `LDFLAGS="-Wl,-z,now -Wl,-z,relro"` + `LDFLAGS = "-Wl,-z,now -Wl,-z,relro"` - `-Wl,-z,now`: tell dynamic linker to resolve symbols ASAP instead of lazy loading - - `-Wl,-z,relro`: tell dynamic linker to make got read only after resolving symbols + - `-Wl,-z,relro`: tell dynamic linker to make `got` section read-only after resolving symbols 2. Chroot each service instance via socat so it can only access uploaded files and not corrupt the system. @@ -197,8 +197,3 @@ Patching For an example fix, see the unified patch `patches/flagstore2.diff`. -Traffic Analysis Evasion -======================== - - - |