mikeeusa wrote:Ok I'm reading through those but I don't want to disable mprotect
Actually, there is no need for disabling it.
- Code: Select all
$ cat /etc/debian_version
4.0
$ grep -e 'PAX.*=y' /boot/config-`uname -r`
CONFIG_PAX=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_UDEREF=y
mikeeusa wrote:ls: error while loading shared libraries: libacl.so.1: cannot enable executable stack as shared object requires: Permission denied
Interesting.
- Code: Select all
$ dpkg -S /lib/libacl.so.1
libacl1: /lib/libacl.so.1
$ aptitude download libacl1
Reading package lists...
Building dependency tree...
Reading extended state information...
Initializing package states...
Building tag database...
Get:1 http://thproxy.jinr.ru etch/main libacl1 2.2.41-1 [15,0kB]
Fetched 15,0kB in 0s (541kB/s)
$ dpkg-deb -x libacl1_2.2.41-1_i386.deb check
$ execstack check/lib/libacl.so.1.1.0
- check/lib/libacl.so.1.1.0
Probably you've done partial upgrade only, and there are some libraries
from Sarge without proper PT_GNU_STACK marker (or without any PT_GNU_STACK
marker at all).
mikeeusa wrote:(also note: I try to use gradm... and it worked fine before the debian update).
Could you please be more specific? What was "good" and "bad" versions?
mikeeusa wrote:What are the libs I need to de-mprotect and what commands do I need to do that
Install the `prelink' package and use `execstack' utility to find out.
- Code: Select all
find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | grep -v '^'
Most libraries do not use executable stack, so you could turn it off
completely:
- Code: Select all
find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | \
grep -v '^' | xargs -n 1 execstack -c
and enable executable stack for programs/libraries which need it (mostly
LISP/Java/... runtimes, emulators, and some proprietary X drivers).
mikeeusa wrote:Why is debian and friends working against us?
They aren't. Most maintainers readily accept patches which make their
packages run correctly on grsecurity (SELinux, execshield, etc) systems,
see e.g.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323944
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321748
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321721