grsecurity forums

[Carlos Carvalho]

I've just installed the latest postgres version in Debian, and always get this denial:

May 30 20:31:09 hoggar kernel: grsec: From 192.168.3.128: denied RWX mprotect of <stack> by /usr/lib/postgresql/9.3/bin/postgres

I tried setfattr -n user.pax.flags -v "mer" and paxctl -Cm to no avail. I thought this might explain it:

Changes for postgresql-9.3 (libpq5 libpq-dev postgresql-client-9.3 postgresql-9.3) ---
postgresql-9.3 (9.3.4-2) unstable; urgency=medium

* Skip -pie on 32bit archs for performance and stability reasons.
Closes: #749686; details at
http://www.postgresql.org/message-id/20 ... d.df7cb.de

That thread talks about a problem specifically for 32-bit.

I tried to revert to a previous version of the package but it still doesn't work, with the same error.

Any ideas?

[PaX Team]

instead of disabling MPROTECT on the postgresql binary you should find out why it wants an executable stack, it's more likely that it doesn't and it's just some miscompiled library (the usual GNU_STACK induced breakage). you can strace it and see what library gets loaded last just before the mprotect failure, that'll be culprit.

[Carlos Carvalho]

The explanation is in the link I posted. Debian decided to compile postgres without -PIE thus PAX blocks it. There are explanations in the thread from the postgres developers why it's necessary but I don't understand them.

The best is to move to 64 bits. I'm reinstalling the server in the new architecture and now postgres runs.

[PaX Team]

The explanation is in the link I posted. Debian decided to compile postgres without -PIE thus PAX blocks it.

PaX doesn't block the execution of normal (non-PIE) executables per se, the cause is something else...