If I paxctl -PS the ioquake3 binary it crashes on startup with the error:

PAX: execution attempt in: /dev/zero

logged to the syslog.  If I paxctl -ps ioquake3 it runs fine.  Of course 
mprotect is disabled in both cases.  Quake3 is really only an example though.  
I guess my larger question is:

If I use the SSP-enabled toolchain, I'll loose my ability to toggle this 
protection off and on at will right?  Am I correct that the only work arounds 
in this case would involve some kind of recompiling with per-package flags, 
etc.?

Thank you for your help.

On Saturday, January 27, 2007 18:59, John Schember wrote:
> SSP is stack smashing protection. Unless an application your using for
> some strange reason likes to over run the stack and execute code just
> like a buffer overrun attack you won't have a problem. As far as Quake3
> goes you won't have a problem with the hardened tool chain.
>
> John Schember
>
>
> On Sat, 2007-01-27 at 18:20 -0800, [EMAIL PROTECTED]
>
> wrote:
> > I've had a "partially-hardened" workstation for awhile now.  I use
> > hardened-sources and enable many of the PaX/grsecurity options including
> > stack smashing protection.  This works great as I can disable SEGMEXEC,
> > PAGEEXEC and mprotect for Quake3 (ioquake3) and get it to run.  My
> > question is if I take my workstation to a full hardened system with
> > SSP+PIE toolchain, etc. will I still be able to run Quake3 and other
> > programs like it?  If I went to a full Hardened Gentoo system, even if I
> > disabled PaX's SEGMEXEC, PAGEXEC and mprotect, which is sufficient to run
> > Quake3 now, the toolchains' own SSP would then kick in and stop me,
> > right?
> >
> > I'm normally a test and do-it-myself kind of person, but I really don't
> > want to have to recompile the system to find out and then recompile again
> > if gcc's SSP/ProPolice does stop me.
> >
> > Side note: I masked gcc-4* and >=glibc-2.4 when they were stabled in x86.
> > I still run gcc-3.4.6-r2 and glibc-2.3.6-r5 so switching to the hardened
> > profile will not present any of those types of problems for me.
> >
> > Thank you for your help.
-- 
[email protected] mailing list

Reply via email to