grsecurity forums


https://forums.grsecurity.net./

Do I need to chpax xorg?

https://forums.grsecurity.net./viewtopic.php?f=3&t=1681

Page 1 of 1

Do I need to chpax xorg?

PostPosted: Fri Feb 16, 2007 2:24 pm
by harrygittens
Hello guys

I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??

Re: Do I need to chpax xorg?

PostPosted: Sat Feb 17, 2007 8:12 am
by Alexei.Sheplyakov
harrygittens wrote:
I heard on the Ubuntu forums that certain parts of X.Org still execute
stuff off the stack so I should chpax -sp it. I'm reluctant to do this
unless I really have to, and X seems to work okay.

Do you really need to chpax X??


X server works for me with default flags, e.g.

[on x86 box running Etch]

Code: Select all
$ chpax -v /usr/bin/Xorg

----[ chpax 0.7 : Current flags for /usr/bin/Xorg (PeMRxS) ]----

 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled


$ dpkg -l xserver-xorg-core
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name              Version        Description
+++-=================-==============-============================================
ii  xserver-xorg-core 1.1.1-17       X.Org X server -- core server

Re: Do I need to chpax xorg?

PostPosted: Mon Feb 19, 2007 11:34 am
by PaX Team
harrygittens wrote:I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??
first, don't use chpax, use paxctl (even if your binutils is not patched, the -C option should work on most binaries). second, X.org servers since 6.9/7.0 don't need any special treatment as they use the ELF modul loader which is compatible with PaX (even older servers will work fine if linked statically or configured for the ELF loader). third, there're certain binary drivers (like nvidia) whose GL implementation relies on runtime code generation, that means that any app linking against their libGL needs paxctl -m.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/