grsecurity forums

by **PaX Team** » Sun Jun 03, 2007 5:37 am

mikeeusa wrote:ls: error while loading shared libraries: libacl.so.1: cannot enable executable stack as shared object requires: Permission denied

What do I do?

let me see... do you notice that awesome google powered editbox at the top of the page? i hear it can give you answers, provided you try at all. little things like http://forums.grsecurity.net/viewtopic.php?t=673 or http://forums.grsecurity.net/viewtopic.php?t=933 or http://forums.grsecurity.net/viewtopic.php?t=1152 (a familiar face inside ;-)

or http://forums.grsecurity.net/viewtopic.php?p=3136 or http://forums.grsecurity.net/viewtopic.php?t=933.

by **Alexei.Sheplyakov** » Sun Jun 10, 2007 12:43 pm

mikeeusa wrote:Ok I'm reading through those but I don't want to disable mprotect

Actually, there is no need for disabling it.

Code: Select all: $ cat /etc/debian_version 4.0 $ grep -e 'PAX.*=y' /boot/config-`uname -r` CONFIG_PAX=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_HAVE_ACL_FLAGS=y CONFIG_PAX_NOEXEC=y CONFIG_PAX_SEGMEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y CONFIG_PAX_KERNEXEC=y CONFIG_PAX_ASLR=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y CONFIG_PAX_MEMORY_UDEREF=y

mikeeusa wrote:ls: error while loading shared libraries: libacl.so.1: cannot enable executable stack as shared object requires: Permission denied

Interesting.

Code: Select all: $ dpkg -S /lib/libacl.so.1 libacl1: /lib/libacl.so.1 $ aptitude download libacl1 Reading package lists... Building dependency tree... Reading extended state information... Initializing package states... Building tag database... Get:1 http://thproxy.jinr.ru etch/main libacl1 2.2.41-1 [15,0kB] Fetched 15,0kB in 0s (541kB/s) $ dpkg-deb -x libacl1_2.2.41-1_i386.deb check $ execstack check/lib/libacl.so.1.1.0 - check/lib/libacl.so.1.1.0

Probably you've done partial upgrade only, and there are some libraries
from Sarge without proper PT_GNU_STACK marker (or without any PT_GNU_STACK
marker at all).

mikeeusa wrote:(also note: I try to use gradm... and it worked fine before the debian update).

Could you please be more specific? What was "good" and "bad" versions?

mikeeusa wrote:What are the libs I need to de-mprotect and what commands do I need to do that

Install the `prelink' package and use `execstack' utility to find out.

Code: Select all: find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | grep -v '^'

Most libraries do not use executable stack, so you could turn it off
completely:

Code: Select all: find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | \ grep -v '^' | xargs -n 1 execstack -c

and enable executable stack for programs/libraries which need it (mostly
LISP/Java/... runtimes, emulators, and some proprietary X drivers).

mikeeusa wrote:Why is debian and friends working against us?

They aren't. Most maintainers readily accept patches which make their
packages run correctly on grsecurity (SELinux, execshield, etc) systems,
see e.g.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323944
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321748
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321721

grsecurity forums

ls no longer works in debian: ls: error while loading shared

Re: ls no longer works in debian: ls: error while loading sh