installing rpm's on redhat box denied.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

installing rpm's on redhat box denied.

Postby p1mp » Mon Feb 23, 2004 4:22 pm

hello all i have a redhat 9.0 box with grsecurity 2.4.24 installed everything works great except that when i try installing rpm's via root i get this error


rpm: error while loading shared libraries: /usr/lib/librpmio-4.2.so: cannot make segment writable for relocation: Permission denied
p1mp
 
Posts: 1
Joined: Mon Feb 23, 2004 4:20 pm

Re: installing rpm's on redhat box denied.

Postby PaX Team » Mon Feb 23, 2004 5:09 pm

p1mp wrote:rpm: error while loading shared libraries: /usr/lib/librpmio-4.2.so: cannot make segment writable for relocation: Permission denied
this is the result of librpmio having text relocations and your having enabled NOELFRELOCS. either of the two has to change, for now it's easier to disable NOELFRELOCS but you should also tell redhat about this so that they can fix it properly.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby superbock » Thu Apr 15, 2004 4:48 pm

I also get this with liblvm, which renders LVM completely useless on this machine.

Problem is, NOELFRELOCS is off, as default.

Running FC1 + 2.4.26 + grsec2.0

Any thoughts?
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby PaX Team » Thu Apr 15, 2004 5:43 pm

superbock wrote:I also get this with liblvm, which renders LVM completely useless on this machine.

Problem is, NOELFRELOCS is off, as default.

Running FC1 + 2.4.26 + grsec2.0

Any thoughts?
can you post your .config (only the PaX bits), an strace output for whatever app fails to load liblvm and a 'readelf -e' on liblvm ?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby superbock » Thu Apr 15, 2004 6:42 pm

Kernel config is below. As for strace and readelf, i can only post tomorrow, when at workplace again. This happens right on boot, when rc.sysinit runs "vgscan", so lots of fs's don't get mounted. Will work around it tomorrow so i can post the request info.

#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_HIDESYM=y
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

strace vgscan

Postby superbock » Fri Apr 16, 2004 11:59 am

execve("/sbin/vgscan", ["vgscan"], [/* 17 vars */]) = 0
uname({sys="Linux", node="uhuh.yeah", ...}) = 0
set_tid_address(0) = -1 ENOSYS (Function not implemented)
brk(0) = 0x8051886
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=16394, ...}) = 0
old_mmap(NULL, 16394, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2ee27000
close(3) = 0
open("/lib/liblvm-10.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`U\220\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0555, st_size=2257634, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2ee2c000
old_mmap(0x900000, 201556, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2ee2d000
old_mmap(0x2ee5a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2c000) = 0x2ee5a000
old_mmap(0x2ee5c000, 9044, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2ee5c000
close(3) = 0
mprotect(0x5b2ec000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = -1 EINVAL (Invalid argument)
mprotect(0x5b2e5000, 32768, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 ENOMEM (Cannot allocate memory)
mprotect(0x5b2e9000, 16384, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 ENOMEM (Cannot allocate memory)
mprotect(0x5b2eb000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 EACCES (Permission denied)
writev(2, [{"vgscan", 6}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"liblvm-10.so.1", 14}, {": ", 2}, {"cannot enable executable stack a"..., 56}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], 10vgscan: error while loading shared libraries: liblvm-10.so.1: cannot enable executable stack as shared object requires: Permission denied
) = 138
exit_group(127) = ?
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

readelf -e liblvm

Postby superbock » Fri Apr 16, 2004 12:01 pm

ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x905560
Start of program headers: 52 (bytes into file)
Start of section headers: 2236668 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 5
Size of section headers: 40 (bytes)
Number of section headers: 37
Section header string table index: 34

Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .hash HASH 009000d4 0000d4 0009a0 04 A 2 0 4
[ 2] .dynsym DYNSYM 00900a74 000a74 0015f0 10 A 3 1f 4
[ 3] .dynstr STRTAB 00902064 002064 001238 00 A 0 0 1
[ 4] .gnu.version VERSYM 0090329c 00329c 0002be 02 A 2 0 2
[ 5] .gnu.version_r VERNEED 0090355c 00355c 000050 00 A 3 1 4
[ 6] .rel.dyn REL 009035ac 0035ac 000ad0 08 A 2 0 4
[ 7] .rel.plt REL 0090407c 00407c 0006e8 08 A 2 9 4
[ 8] .init PROGBITS 00904764 004764 000017 00 AX 0 0 4
[ 9] .plt PROGBITS 0090477c 00477c 000de0 04 AX 0 0 4
[10] .text PROGBITS 00905560 005560 01a5fc 00 AX 0 0 16
[11] .fini PROGBITS 0091fb5c 01fb5c 00001b 00 AX 0 0 4
[12] .rodata PROGBITS 0091fb80 01fb80 00c4d2 00 A 0 0 32
[13] .eh_frame_hdr PROGBITS 0092c054 02c054 000014 00 A 0 0 4
[14] .eh_frame PROGBITS 0092c068 02c068 00003c 00 A 0 0 4
[15] .data PROGBITS 0092d0c0 02c0c0 000bc4 00 WA 0 0 32
[16] .dynamic DYNAMIC 0092dc84 02cc84 0000c8 08 WA 3 0 4
[17] .ctors PROGBITS 0092dd4c 02cd4c 000008 00 WA 0 0 4
[18] .dtors PROGBITS 0092dd54 02cd54 000008 00 WA 0 0 4
[19] .jcr PROGBITS 0092dd5c 02cd5c 000004 00 WA 0 0 4
[20] .got PROGBITS 0092dd60 02cd60 0003b8 04 WA 0 0 4
[21] .bss NOBITS 0092e120 02d120 003234 00 WA 0 0 32
[22] .comment PROGBITS 00000000 02d120 001bb9 00 0 0 1
[23] .debug_aranges PROGBITS 00000000 02ece0 001298 00 0 0 8
[24] .debug_pubnames PROGBITS 00000000 02ff78 001e01 00 0 0 1
[25] .debug_info PROGBITS 00000000 031d79 1b4b44 00 0 0 1
[26] .debug_abbrev PROGBITS 00000000 1e68bd 01487d 00 0 0 1
[27] .debug_line PROGBITS 00000000 1fb13a 01af79 00 0 0 1
[28] .debug_frame PROGBITS 00000000 2160b4 002b98 00 0 0 4
[29] .debug_str PROGBITS 00000000 218c4c 008796 01 MS 0 0 1
[30] .debug_ranges PROGBITS 00000000 2213e2 000578 00 0 0 1
[31] .gnu.liblist GNU_LIBLIST 00000000 22195c 000028 14 32 0 4
[32] .gnu.libstr STRTAB 00000000 221984 00001e 00 0 0 1
[33] .gnu.prelink_undo PROGBITS 00000000 2219a4 0005fc 01 0 0 4
[34] .shstrtab STRTAB 00000000 221fa0 00015c 00 0 0 1
[35] .symtab SYMTAB 00000000 2226c4 002630 10 36 123 4
[36] .strtab STRTAB 00000000 224cf4 0025ee 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00900000 0x00900000 0x2c0a4 0x2c0a4 R E 0x1000
LOAD 0x02c0c0 0x0092d0c0 0x0092d0c0 0x01058 0x04294 RW 0x1000
DYNAMIC 0x02cc84 0x0092dc84 0x0092dc84 0x000c8 0x000c8 RW 0x4
GNU_EH_FRAME 0x02c054 0x0092c054 0x0092c054 0x00014 0x00014 R 0x4
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

Section to Segment mapping:
Segment Sections...
00 .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
01 .data .dynamic .ctors .dtors .jcr .got .bss
02 .dynamic
03 .eh_frame_hdr
04
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

workaround..

Postby superbock » Fri Apr 16, 2004 12:06 pm

able to load LVM and boot machine properly after editing rc.sysinit and changing vgscan and vgchange to their .static brothers, as expected. Every other LVM util's broken though.
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

and another one

Postby superbock » Fri Apr 16, 2004 12:16 pm

# apt-get
apt-get: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

apt-get strace

Postby superbock » Fri Apr 16, 2004 12:17 pm

# strace apt-get
execve("/usr/bin/apt-get", ["apt-get"], [/* 27 vars */]) = 0
uname({sys="Linux", node="uhuh.yeah", ...}) = 0
set_tid_address(0) = -1 ENOSYS (Function not implemented)
brk(0) = 0x8075de0
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=16394, ...}) = 0
old_mmap(NULL, 16394, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2334e000
close(3) = 0
open("/usr/lib/libapt-pkg-libc6.3-5.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\353\234"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1102914, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x23353000
old_mmap(0x9a5000, 963856, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x23354000
old_mmap(0x2343c000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xe7000) = 0x2343c000
close(3) = 0
open("/usr/lib/librpm-4.2.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\251"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=311200, ...}) = 0
old_mmap(0x6d0000, 360116, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x23440000
old_mmap(0x23489000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x48000) = 0x23489000
old_mmap(0x2348d000, 44724, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2348d000
close(3) = 0
open("/usr/lib/librpmdb-4.2.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\213"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=896092, ...}) = 0
old_mmap(0x5f0000, 907360, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x23498000
old_mmap(0x23570000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xd7000) = 0x23570000
old_mmap(0x23574000, 6240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x23574000
close(3) = 0
open("/usr/lib/libelf.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\374\273"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=63908, ...}) = 0
old_mmap(0x93a000, 65392, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x23576000
old_mmap(0x23585000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xe000) = 0x23585000
close(3) = 0
open("/usr/lib/librpmio-4.2.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20a[\000"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=214008, ...}) = 0
old_mmap(0x5b0000, 251652, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x23586000
old_mmap(0x235b8000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x31000) = 0x235b8000
old_mmap(0x235bb000, 34564, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x235bb000
close(3) = 0
open("/usr/lib/libbeecrypt.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\374\275"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=118520, ...}) = 0
old_mmap(0xbdb000, 120200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x235c4000
old_mmap(0x235df000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1a000) = 0x235df000
close(3) = 0
mprotect(0x5dcb1000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = -1 EINVAL (Invalid argument)
mprotect(0x5dcaa000, 32768, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 ENOMEM (Cannot allocate memory)
mprotect(0x5dcae000, 16384, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 ENOMEM (Cannot allocate memory)
mprotect(0x5dcb0000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC) = -1 EACCES (Permission denied)
writev(2, [{"apt-get", 7}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"libbeecrypt.so.6", 16}, {": ", 2}, {"cannot enable executable stack a"..., 56}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], 10apt-get: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied
) = 141
exit_group(127) = ?
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby superbock » Fri Apr 16, 2004 12:19 pm

# readelf -e /usr/lib/libbeecrypt.so.6
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xbdfc50
Start of program headers: 52 (bytes into file)
Start of section headers: 117480 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 4
Size of section headers: 40 (bytes)
Number of section headers: 26
Section header string table index: 25

Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .hash HASH 00bdb0b4 0000b4 000a20 04 A 2 0 4
[ 2] .dynsym DYNSYM 00bdbad4 000ad4 0017f0 10 A 3 1a 4
[ 3] .dynstr STRTAB 00bdd2c4 0022c4 00110d 00 A 0 0 1
[ 4] .gnu.version VERSYM 00bde3d2 0033d2 0002fe 02 A 2 0 2
[ 5] .gnu.version_r VERNEED 00bde6d0 0036d0 000060 00 A 3 2 4
[ 6] .rel.dyn REL 00bde730 003730 000410 08 A 2 0 4
[ 7] .rel.plt REL 00bdeb40 003b40 0005a0 08 A 2 9 4
[ 8] .init PROGBITS 00bdf0e0 0040e0 000017 00 AX 0 0 4
[ 9] .plt PROGBITS 00bdf0f8 0040f8 000b50 04 AX 0 0 4
[10] .text PROGBITS 00bdfc50 004c50 012b40 00 AX 0 0 16
[11] .fini PROGBITS 00bf2790 017790 00001b 00 AX 0 0 4
[12] .rodata PROGBITS 00bf27c0 0177c0 002ba8 00 A 0 0 32
[13] .eh_frame PROGBITS 00bf5368 01a368 000004 00 A 0 0 4
[14] .data PROGBITS 00bf6380 01a380 001d90 00 WA 0 0 32
[15] .dynamic DYNAMIC 00bf8110 01c110 0000d8 08 WA 3 0 4
[16] .ctors PROGBITS 00bf81e8 01c1e8 000008 00 WA 0 0 4
[17] .dtors PROGBITS 00bf81f0 01c1f0 000008 00 WA 0 0 4
[18] .jcr PROGBITS 00bf81f8 01c1f8 000004 00 WA 0 0 4
[19] .got PROGBITS 00bf81fc 01c1fc 000340 04 WA 0 0 4
[20] .bss NOBITS 00bf853c 01c53c 00004c 00 WA 0 0 4
[21] .gnu_debuglink PROGBITS 00000000 01c53c 000020 00 0 0 4
[22] .gnu.liblist GNU_LIBLIST 00000000 01c55c 000050 14 23 0 4
[23] .gnu.libstr STRTAB 00000000 01c5ac 000039 00 0 0 1
[24] .gnu.prelink_undo PROGBITS 00000000 01c5e8 000424 01 0 0 4
[25] .shstrtab STRTAB 00000000 01ca0c 0000d9 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00bdb000 0x00bdb000 0x1a36c 0x1a36c R E 0x1000
LOAD 0x01a380 0x00bf6380 0x00bf6380 0x021bc 0x02208 RW 0x1000
DYNAMIC 0x01c110 0x00bf8110 0x00bf8110 0x000d8 0x000d8 RW 0x4
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

Section to Segment mapping:
Segment Sections...
00 .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
01 .data .dynamic .ctors .dtors .jcr .got .bss
02 .dynamic
03
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

PT_GNU_STACK/make_stack_executable()

Postby PaX Team » Fri Apr 16, 2004 2:05 pm

you should have told me that it was NOT the exact same case as before ;-): "cannot enable executable stack" is a message from ld.so for a different reason than mere relocations. take a look at the readelf outputs: both have the STACK line (referring to the PT_GNU_STACK program header) with RWE access rights - that means that the given library wants an executable stack (well, more on this below) and ld.so tried to make the stack executable upon loading these libraries and that failed under PaX.

as for the remedies:

first, find out if these libraries really need an executable stack (=use nested functions). easiest is to use the binutils patch from the PaX page and check out the PT_PAX_FLAGS program header in the result (paxctl will report it), if that header is marked for EMUTRAMP then it is a legitimate request, otherwise it's a false positive.

for the first case you can either disable MPROTECT on all affected apps (not the libs), or patch your glibc the gentoo way and then enable EMUTRAMP on the affected apps (and in the kernel as well of course). my preference (short of rewriting the code and removing the nested functions) is the gentoo way as under PaX it essentially disables this ugly backdoor in ld.so while still letting everything run normally (make_stack_executable() is a nice target for exploits...).

for the latter case you have to relink your libraries with passing -z noexecstack to the linker (or -Wl,-z,noexecstack to gcc) or maybe try the execstack utility (should be part of prelink and FC1 as well).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby superbock » Fri Apr 16, 2004 3:43 pm

oops, i think i was mislead by a post redirection for this thread. nevertheless, it's still pertinent.

after your last post (tks, btw), i tried 3 approaches (in this order):

- paxctl -m on the binaries
- source recompile adding -z noexecstack to LDFLAGS, re-install
- execstack -c on lvm and beecrypt libs

execstack worked. Kinda weird the recompilation didn't, no?
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Postby PaX Team » Fri Apr 16, 2004 3:50 pm

superbock wrote:- paxctl -m on the binaries
you need paxctl only if you're using the patched binutils, otherwise chpax.
- source recompile adding -z noexecstack to LDFLAGS, re-install
did you verify the readelf output so that STACK is shown with RW access rights only?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby superbock » Fri Apr 16, 2004 4:11 pm

Now that u mention it, i remember thinking it was also weird that paxctl -v didn't return a thing, simply because i forgot to install your binutils..uhf. Anyway, considering it now works after using execstack, it's kinda irrelevant.

I did not re-check readelf's output. But i did see the the compilations output and i'm sure -z noexecstack was used. Is it still possible that this could not help at all?

Can i consider the use of execstack as a clean workaround for this?
superbock
 
Posts: 37
Joined: Sun Mar 31, 2002 6:34 pm

Next

Return to grsecurity support