grsecurity forums

[rs]

Now that Debian 4.0 is out and remembering past issues with "Sid" (related to the new glibc that was introduced back in time), I'm wondering if somebody is using grsecurity with the recently version 4.0 of Debian.

Any known issues related to Grsec? Are the different executables in 4.0 compiled with the necessary flag to avoid past problems with PAX? Is it safe to migrate a Debian 3.0 with PAX/Grsec to Debian 4.0 (also with PAX/Grsec, of course)?

Thanks.
-rs

[Alexei.Sheplyakov]

Now that Debian 4.0 is out and remembering past issues with "Sid"
(related to the new glibc that was introduced back in time),

Actually, that was NOT glibc itself, but some libraries with PT_GNU_STACK
RWE (for no good reason). The "fix" was to execstack -c them (or modifiy
build scripts to pass -Wa,--noexecstack to assembler).

I'm wondering if somebody is using grsecurity with the recently version
4.0 of Debian.
[/qoute]

Yes.

Any known issues related to Grsec?

You might need to execstack -c several libraries which request executable
stack for no good reason, and paxctl -cm some apps (LISP systems, Java
compilers, emulators like qemu and wine) which do need writable executable
mappings.

Are the different executables in 4.0 compiled with the necessary flag
to avoid past problems with PAX?

In general, Debian do not care to support PAX/grsec, but typically
maintainers do accept patches. So some of libraries have been fixed,
see e.g.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321721
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323944
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321748

But some still have wrong PT_GNU_STACK markers (for instance, libxvidcore),
so execstack -c is your friend.

Is it safe to migrate a Debian 3.0 with PAX/Grsec to Debian 4.0 (also
with PAX/Grsec, of course)?

It worked for me (TM).