Re: [gentoo-user] Hardened Kernel (PaX): How to allow Text Relocations for *ONE* executable, while disallowing it for *EVERY* *OTHER* executable?

Sun, 16 Apr 2006 06:17:25 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Skwar wrote:
> Willie Wong wrote:
>> On Sun, Apr 16, 2006 at 11:19:46AM +0200, Penguin Lover Alexander
>> Skwar squawked:
>>> Now, how do I allow text relocations for just ONE binary, while
>>> keeping it disallowed for every other executable (the ones which
>>> already exist and the ones, which are to come in the future)?
> [...]
>>> I thought that I could do this with "chpax -m $binary" (replacing
>>> $binary by the path to the executable, of course. In this case,
>>> /usr/NX/bin/nxagent). But, I did this, and I still get the error
>>> message.
>>
>> 1. Check and make sure there are no zombie processes of the desired
>> binary running.
> 
> [x] No Zombies
> 
>> 2. Personally I use paxctl (the interface is slightly more robust in
>> that I don't have to group all the flags in the first argument).
>> 3. So, post the output of 'chpax -v $binary'? It should have the line
>>    *mprotect()     : not restricted
> 
> [EMAIL PROTECTED] /usr/src $ /sbin/chpax -v /usr/NX/bin/nxagent
> 
> ----[ chpax 0.7 : Current flags for /usr/NX/bin/nxagent (pEmrxs) ]----
> 
>  * Paging based PAGE_EXEC       : disabled
>  * Trampolines                  : emulated
>  * mprotect()                   : not restricted
>  * mmap() base                  : not randomized
>  * ET_EXEC base                 : not randomized
>  * Segmentation based PAGE_EXEC : disabled
> 
> I now used paxctl, like you suggested in 2.. I ran:
> 
> paxctl -m /usr/NX/bin/nxagent
> 
> And see:
> 
> [EMAIL PROTECTED] /usr/src $ sudo paxctl -v /usr/NX/bin/nxagent
> PaX control v0.4
> Copyright 2004,2005 PaX Team <[EMAIL PROTECTED]>
> 
> - PaX flags: -----m-x-e-- [/usr/NX/bin/nxagent]
>         MPROTECT is disabled
>         RANDEXEC is disabled
>         EMUTRAMP is disabled
> 
> Now I am able to run NX. But none the less, I would still
> like to know, why chpax did not work.
> 
> Any ideas?
> 
> Alexander Skwar
Hi,
Because chpax uses the old ELF-header markings and paxctl uses the new
ones (binaries compiled with PIC & PIE, binutils 2.16.X).
So you use chpax or paxctl depending on the binary.
HTH.Rumen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEQkJoNbtuTtsWD3wRAtiRAJwIpQ8su9vvoF0xU8zBRhdvgB3VQgCeObWl
EJt5COvdMDgjvqAMKUwUIj4=
=++Z/
-----END PGP SIGNATURE-----
-- 
[email protected] mailing list

Reply via email to