ls no longer works in debian: ls: error while loading shared

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Re: ls no longer works in debian: ls: error while loading sh

Postby PaX Team » Sun Jun 03, 2007 5:37 am

mikeeusa wrote:ls: error while loading shared libraries: libacl.so.1: cannot enable executable stack as shared object requires: Permission denied

What do I do?
let me see... do you notice that awesome google powered editbox at the top of the page? i hear it can give you answers, provided you try at all. little things like http://forums.grsecurity.net/viewtopic.php?t=673 or http://forums.grsecurity.net/viewtopic.php?t=933 or http://forums.grsecurity.net/viewtopic.php?t=1152 (a familiar face inside ;-) or http://forums.grsecurity.net/viewtopic.php?p=3136 or http://forums.grsecurity.net/viewtopic.php?t=933.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Alexei.Sheplyakov » Sun Jun 10, 2007 12:43 pm

mikeeusa wrote:Ok I'm reading through those but I don't want to disable mprotect


Actually, there is no need for disabling it.

Code: Select all
$ cat /etc/debian_version
4.0
$ grep -e 'PAX.*=y' /boot/config-`uname -r`
CONFIG_PAX=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_UDEREF=y


mikeeusa wrote:ls: error while loading shared libraries: libacl.so.1: cannot enable executable stack as shared object requires: Permission denied


Interesting.

Code: Select all
$ dpkg -S /lib/libacl.so.1
libacl1: /lib/libacl.so.1
$ aptitude download libacl1
Reading package lists...
Building dependency tree...
Reading extended state information...
Initializing package states...
Building tag database...
Get:1 http://thproxy.jinr.ru etch/main libacl1 2.2.41-1 [15,0kB]
Fetched 15,0kB in 0s (541kB/s)
$ dpkg-deb -x libacl1_2.2.41-1_i386.deb check
$ execstack check/lib/libacl.so.1.1.0
- check/lib/libacl.so.1.1.0


Probably you've done partial upgrade only, and there are some libraries
from Sarge without proper PT_GNU_STACK marker (or without any PT_GNU_STACK
marker at all).

mikeeusa wrote:(also note: I try to use gradm... and it worked fine before the debian update).


Could you please be more specific? What was "good" and "bad" versions?

mikeeusa wrote:What are the libs I need to de-mprotect and what commands do I need to do that


Install the `prelink' package and use `execstack' utility to find out.

Code: Select all
find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | grep -v '^'


Most libraries do not use executable stack, so you could turn it off
completely:

Code: Select all
find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack | \
grep -v '^' | xargs -n 1 execstack -c


and enable executable stack for programs/libraries which need it (mostly
LISP/Java/... runtimes, emulators, and some proprietary X drivers).

mikeeusa wrote:Why is debian and friends working against us?


They aren't. Most maintainers readily accept patches which make their
packages run correctly on grsecurity (SELinux, execshield, etc) systems,
see e.g.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323944
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321748
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=321721
Alexei.Sheplyakov
 
Posts: 53
Joined: Sun Feb 19, 2006 11:48 am


Return to grsecurity support

cron