grsecurity forums

[jeremy beadle]

I'm a complete fr00b when it comes to securing Linux and i have some questions about grsecurity since I think it offers what I want.

I've been repeatedly told that grsecurity and PaX in general is for servers rather than desktops. I'm inclined to believe that's true, but I feel desktops are no less deserving of security than servers are.

I patched the 2.6.18.2 kernel with grsecurity and set the security level to "high" since "high" obviously sounds more secure than "low". This left me unable to log in graphically because I was "out of disk space" (I wasn't). I set the level to "low" and recompiled and was then able to log in.

There's a hell of a lot of options there and I suppose any one of them could be to blame. Therefore, I've decided that I'd just like specific security features.

I'm sure you guys know MS Windows has Data Execution Prevention which uses the NX bit to prevent execution of code on the stack. Basically this is all the functionality I'd like to enable. I understand this could be provided with PaX.

How would I go about just enabling this feature (and any other little features as long as they're unlikely to cause trouble?)

Thanks.

[jeremy beadle]

The post wasn't that bad, was it?

[PaX Team]

I've been repeatedly told that grsecurity and PaX in general is for servers rather than desktops. I'm inclined to believe that's true, but I feel desktops are no less deserving of security than servers are.

you were told wrong ;P. both grsecurity and PaX were developed by desktop users for their own use, therefore it has always been necessary to make such use as painless as possible (that's not to say the job is anything near done of course).

I patched the 2.6.18.2 kernel with grsecurity and set the security level to "high" since "high" obviously sounds more secure than "low". This left me unable to log in graphically because I was "out of disk space" (I wasn't).

normally, the quality of responses to bugreports is proportional to the information content of said reports... relevant logs, kernel dmesg, .config, distro version (glibc, toolchain info), etc.

I'm sure you guys know MS Windows has Data Execution Prevention which uses the NX bit to prevent execution of code on the stack. Basically this is all the functionality I'd like to enable. I understand this could be provided with PaX.

How would I go about just enabling this feature (and any other little features as long as they're unlikely to cause trouble?)

what PaX has historically done is the emulation of the NX bit behaviour on CPUs that don't actually have one (i.e., the majority of IA-32 CPUs). there're two different techniques (PAGEEXEC and SEGMEXEC), you're probably better off by the latter. as for actual hw NX bit use, see http://marc.theaimsgroup.com/?l=gentoo-hardened&m=114987924519660&w=2.