On Wednesday 04 May 2005 16:02, Ned Ludd wrote: > On Wed, 2005-05-04 at 16:04 +0100, Pedro Venda wrote: > > On Wednesday 04 May 2005 01:43, ixion wrote: > > > I've had to drop the 'Disallow ELF text relocations' option due to > > > problems with MySQL, so I think you will be saving yourself some > > > trouble by going ahead and disabling it. It does some whacky things > > > with compiles, too. > > > > my mysql works ok even with diallow ELF tex relocations. I don't intend > > to save myself from trouble just by removing security features. I want to > > understand the "why"s behind and to find out if I'm alone with this > > issue. > > I wish more people had this attitude of wanting to get to the root of > the problem :) > > > Mike Frysinger and myself have written a package to help aid in the > tracking down of these text relocations and other faulty ELF problems. > > It's called pax-utils and it's in ~arch > For a quick scan of things that you possiable need to rebuild that have > text relocations you would do something like this. > scanelf -lptq > > Or a system wide deep scan. > scanelf -tRF%t%F /|grep TEXTREL
this is GREAT! thanks for the information. > Now I know for a fact that this lib can be built without text > relocations. It's often the conversion process for normal users that > come from non hardened envionments to a hardened one that have this > problem. It's usually caused by a non pic aware libcrypto.a that gets > used to later link to the libphp4.so so the hardened toolchain could rebuild the offending library and link the module against the pic object, resulting in a working combo? > > > thanks for your help anyway. > > > > I've figured out some other interesting stuff: > > > > - chpax is deprecated - I should have used paxctl instead. my kernel is > > configured to use PT flags instead of EI PaX flags. > > Sadly chpax can not be fully deprecated as of yet. There still existing > some corner stone cases such as java and a few other 3rd party vendor > things which will lack the PT_PAX_FLAGS program header. I enable both > for maximum administrator control. yes, I absolutely forgot non-compiled packages. > > - glibc, gcc and binutils should be recompiled with hardened and pic > > flags. Will this affect the ELF binary produced by the mod_php > > compilation? Will it work this time, if compiled with PIC? Find out in a > > couple of days, when I have time to do some compilations and reboots. > > I really recommended -e world (lot of other cases where non-pic > something.a gets mis linked in) but the use flags hardened and pic seldom appear. I suppose that the flag is not really necessary to build PIC code. the toolchain will do that for me. is the flag there for known workarounds? many many thanks for your informative reply! regards, pedro venda. -- Pedro Jo�o Lopes Venda email: pjlv < at > mega.ist.utl.pt http://arrakis.dhis.org
pgpHgaJJontgK.pgp
Description: PGP signature
