Do I need to chpax xorg?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Do I need to chpax xorg?

Postby harrygittens » Fri Feb 16, 2007 2:24 pm

Hello guys

I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??
harrygittens
 
Posts: 21
Joined: Fri Feb 16, 2007 2:20 pm

Re: Do I need to chpax xorg?

Postby Alexei.Sheplyakov » Sat Feb 17, 2007 8:12 am

harrygittens wrote:
I heard on the Ubuntu forums that certain parts of X.Org still execute
stuff off the stack so I should chpax -sp it. I'm reluctant to do this
unless I really have to, and X seems to work okay.

Do you really need to chpax X??


X server works for me with default flags, e.g.

[on x86 box running Etch]

Code: Select all
$ chpax -v /usr/bin/Xorg

----[ chpax 0.7 : Current flags for /usr/bin/Xorg (PeMRxS) ]----

 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled


$ dpkg -l xserver-xorg-core
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name              Version        Description
+++-=================-==============-============================================
ii  xserver-xorg-core 1.1.1-17       X.Org X server -- core server

Alexei.Sheplyakov
 
Posts: 53
Joined: Sun Feb 19, 2006 11:48 am

Re: Do I need to chpax xorg?

Postby PaX Team » Mon Feb 19, 2007 11:34 am

harrygittens wrote:I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??
first, don't use chpax, use paxctl (even if your binutils is not patched, the -C option should work on most binaries). second, X.org servers since 6.9/7.0 don't need any special treatment as they use the ELF modul loader which is compatible with PaX (even older servers will work fine if linked statically or configured for the ELF loader). third, there're certain binary drivers (like nvidia) whose GL implementation relies on runtime code generation, that means that any app linking against their libGL needs paxctl -m.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron