On Wed, 2005-05-04 at 16:04 +0100, Pedro Venda wrote: > On Wednesday 04 May 2005 01:43, ixion wrote: > > I've had to drop the 'Disallow ELF text relocations' option due to > > problems with MySQL, so I think you will be saving yourself some trouble > > by going ahead and disabling it. It does some whacky things with compiles, > > too. >
> my mysql works ok even with diallow ELF tex relocations. I don't intend to > save myself from trouble just by removing security features. I want to > understand the "why"s behind and to find out if I'm alone with this issue. I wish more people had this attitude of wanting to get to the root of the problem :) Mike Frysinger and myself have written a package to help aid in the tracking down of these text relocations and other faulty ELF problems. It's called pax-utils and it's in ~arch For a quick scan of things that you possiable need to rebuild that have text relocations you would do something like this. scanelf -lptq Or a system wide deep scan. scanelf -tRF%t%F /|grep TEXTREL Now I know for a fact that this lib can be built without text relocations. It's often the conversion process for normal users that come from non hardened envionments to a hardened one that have this problem. It's usually caused by a non pic aware libcrypto.a that gets used to later link to the libphp4.so > thanks for your help anyway. > > I've figured out some other interesting stuff: > > - chpax is deprecated - I should have used paxctl instead. my kernel is > configured to use PT flags instead of EI PaX flags. Sadly chpax can not be fully deprecated as of yet. There still existing some corner stone cases such as java and a few other 3rd party vendor things which will lack the PT_PAX_FLAGS program header. I enable both for maximum administrator control. > - glibc, gcc and binutils should be recompiled with hardened and pic flags. > Will this affect the ELF binary produced by the mod_php compilation? Will it > work this time, if compiled with PIC? Find out in a couple of days, when I > have time to do some compilations and reboots. I really recommended -e world (lot of other cases where non-pic something.a gets mis linked in) > regards, > pedro venda. -- Ned Ludd <[EMAIL PROTECTED]> -- [email protected] mailing list
