grsecurity forums

[harrygittens]

Hello guys

I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??

[Alexei.Sheplyakov]

I heard on the Ubuntu forums that certain parts of X.Org still execute
stuff off the stack so I should chpax -sp it. I'm reluctant to do this
unless I really have to, and X seems to work okay.

Do you really need to chpax X??

X server works for me with default flags, e.g.

[on x86 box running Etch]

Code: Select all

$ chpax -v /usr/bin/Xorg

----[ chpax 0.7 : Current flags for /usr/bin/Xorg (PeMRxS) ]----

 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled


$ dpkg -l xserver-xorg-core
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name              Version        Description
+++-=================-==============-============================================
ii  xserver-xorg-core 1.1.1-17       X.Org X server -- core server



[PaX Team]

I heard on the Ubuntu forums that certain parts of X.Org still execute stuff off the stack so I should chpax -sp it. I'm reluctant to do this unless I really have to, and X seems to work okay.

Do you really need to chpax X??

first, don't use chpax, use paxctl (even if your binutils is not patched, the -C option should work on most binaries). second, X.org servers since 6.9/7.0 don't need any special treatment as they use the ELF modul loader which is compatible with PaX (even older servers will work fine if linked statically or configured for the ELF loader). third, there're certain binary drivers (like nvidia) whose GL implementation relies on runtime code generation, that means that any app linking against their libGL needs paxctl -m.