grsecurity forums

[Toni]

Hi, I'm new in the forum. I'm testing Suse 9.0 with grsecurity (now using kernel 2.6.11.12). Compilation runs ok. but when I have rebooted my machine. None seems work properly. some servers can't execute all with the same error. I can't also login, always "Login Incorrect" while expecting password input request.

When compiling without PAGEEXEC or/and SEMEXEC options, all seems ok.

what I can do?.
Thanks in advance and sorry for my poor english.

----------------------------------------------------------------
/usr/bin/sshd: error while loading shared libraries: libcrypto.so.0.9.7: cannot enable executable stack as shared object requires: Permission denied
/usr/sbin/cupsd: error while loading shared libraries: libcrypto.so.0.9.7: cannot enable executable stack as shared object requires: Permission denied

...
login: root
Login incorrect

Welcome to SuSE 9.0 (i586)

login:

------------------------------------------------------------------------------

[PaX Team]

----------------------------------------------------------------
/usr/bin/sshd: error while loading shared libraries: libcrypto.so.0.9.7: cannot enable executable stack as shared object requires: Permission denied

search the forum, this problem has been discussed already.

[Toni]

I have search for this issue and I have found the following aswer to my question:

I shoud rebuild binaries that "readelf -l | grep GNU_STACK" , says "RWE", with -Wl,-z,execstack (or noexecstack) gcc options. I have found about 100 or 120 binaries in a minimal linux installation, I should rebuild almost all linux distribution.....


First question:

I'm looking for this gcc options on the man and I can not find it... I'm on i386 based kernel, where can I find information about that?.

Second question:

We have bougth a non open source web server and perhaps vendor have not compiled with this gcc options, does it mean that I can not use Gr-Security for this server?.


Thaks a lot.



Toni.

[PaX Team]

I shoud rebuild binaries that "readelf -l | grep GNU_STACK" , says "RWE", with -Wl,-z,execstack (or noexecstack) gcc options. I have found about 100 or 120 binaries in a minimal linux installation, I should rebuild almost all linux distribution.....

that's only one way of fixing it, there're more. how about: http://forums.grsecurity.net./viewtopic.php?t=1087 or http://forums.grsecurity.net./viewtopic.php?t=933 or http://forums.grsecurity.net./viewtopic.php?t=807?

First question:

I'm looking for this gcc options on the man and I can not find it... I'm on i386 based kernel, where can I find information about that?.

although i don't think you will need to go this route, look at the ld info pages, as execstack/noexecstack are ld switches, not that of gcc.

Second question:

We have bougth a non open source web server and perhaps vendor have not compiled with this gcc options, does it mean that I can not use Gr-Security for this server?.

you can surely use grsec with it, but you'll need one of the workarounds/fixes mentioned at the above URLs. my guess is that execstack -c will suffice.