grsecurity forums

[bollin]

Hello,

I have applied the kernel patch for a vanilla kernel 2.6.7 on my Debian system and enabled the pax and grsecurity options. After rebooting paxtest still tells me that my system is vulnerable. What do i have to do to enable pax?

Best Regards,
Torsten

[PaX Team]

I have applied the kernel patch for a vanilla kernel 2.6.7 on my Debian system and enabled the pax and grsecurity options. After rebooting paxtest still tells me that my system is vulnerable. What do i have to do to enable pax?

you didn't post the specific options you enabled, but i take a wild guess and say that you chose the PT_PAX_FLAGS marking while your toolchain (binutils/ld) doesn't provide it and you didn't enable the legacy EI_PAX marking support. either read the kernel config help or search the forum for more info. if it's something else, then please post more details (kernel .config bits, readelf -e output on paxtest binaries, etc).

[bollin]

you didn't post the specific options you enabled, but i take a wild guess and say that you chose the PT_PAX_FLAGS marking while your toolchain (binutils/ld) doesn't provide it and you didn't enable the legacy EI_PAX marking support.

PT_PAX_FLAGS was missing. Unfortunately my system does not boot now. First it failed during starting hotplug. After disabling pax on /bin/bash it fails somewhere else during the boot phase.

Thanks for helping,
Torsten

[PaX Team]

PT_PAX_FLAGS was missing. Unfortunately my system does not boot now. First it failed during starting hotplug. After disabling pax on /bin/bash it fails somewhere else during the boot phase.

as a debian user you'll also need a fixed glibc, probably the best is to use the one with spender's security fixes, details are in the 2.0.1 release announcement: http://grsecurity.net/pipermail/grsecurity/2004-August/000024.html