On Thu, Jul 14, 2011 at 10:29 AM, Markus Oehme <[email protected]> wrote: > Hi Anthony, > > At Thu, 14 Jul 2011 09:41:48 -0400, > Anthony G. Basile wrote: >> It looks like you missed something in the process. The steps to >> converting are (skipping details): >> >> 1) switch profile >> 2) recompile the toolchain: emerge glibc gcc binutils >> 3) recompile system: emerge -e system >> 4) recompile world: emerge -e world > > I did executed all steps in this order and rebuilt all packages. Just now I > did some tries and recompiled some of the packages which fail. However this > changed nothing. > > One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc > 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I > didn't encounter any special problems during the transition. > >> If you didn't do these, its possible you have some binaries left that >> will trigger pax violations. >> >> One way to quickly check if you got hardened binaries is to use a script >> called checksec.sh [1] and run it on /bin or /sbin. You should see that >> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. > > I just executed the script for /bin and the result [1] was very mixed. Nearly > all > binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I > checked whether this could be changed and rebuilt coreutils twice, but the > output was the same every time. > > However this seems not to be a big problem since the system is currently > running normal (Xfce desktop session) with my current list [2] of exceptions > to mprotect which contains only binaries under /usr. > > > Thanks for the advice. > > Markus > > [1] > > RELRO STACK CANARY NX PIE FILE > Full RELRO Canary found NX enabled PIE enabled > /bin/attr > Full RELRO No canary found NX disabled PIE enabled > /bin/basename > Full RELRO Canary found NX enabled PIE enabled > /bin/bash > Full RELRO No canary found NX disabled PIE enabled > /bin/bsdcpio > Full RELRO No canary found NX disabled PIE enabled > /bin/bsdtar > Full RELRO No canary found NX disabled PIE enabled > /bin/btrfs-debug-tree > Partial RELRO No canary found NX disabled No PIE > /bin/busybox > Full RELRO No canary found NX disabled PIE enabled > /bin/bzip2 > Full RELRO No canary found NX disabled PIE enabled > /bin/cat > Full RELRO Canary found NX enabled PIE enabled > /bin/chacl > Full RELRO No canary found NX disabled PIE enabled > /bin/chgrp > Full RELRO No canary found NX disabled PIE enabled > /bin/chmod > Full RELRO No canary found NX disabled PIE enabled > /bin/chown > Full RELRO No canary found NX disabled PIE enabled > /bin/chroot > Full RELRO No canary found NX disabled PIE enabled > /bin/cp > Full RELRO No canary found NX disabled PIE enabled > /bin/cpio > Full RELRO No canary found NX disabled PIE enabled > /bin/cut > Full RELRO No canary found NX disabled PIE enabled > /bin/date > Full RELRO No canary found NX disabled PIE enabled > /bin/dd > Full RELRO No canary found NX disabled PIE enabled > /bin/df > Full RELRO No canary found NX disabled PIE enabled > /bin/dir > Full RELRO No canary found NX disabled PIE enabled > /bin/dirname > Full RELRO No canary found NX disabled PIE enabled > /bin/dmesg > Full RELRO No canary found NX disabled PIE enabled > /bin/du > Full RELRO No canary found NX disabled PIE enabled > /bin/echo > Full RELRO Canary found NX enabled PIE enabled > /bin/ed > Full RELRO No canary found NX disabled PIE enabled > /bin/egrep > Full RELRO No canary found NX disabled PIE enabled > /bin/env > Full RELRO No canary found NX disabled PIE enabled > /bin/expr > Full RELRO No canary found NX disabled PIE enabled > /bin/false > Full RELRO No canary found NX disabled PIE enabled > /bin/fgrep > Full RELRO No canary found NX disabled PIE enabled > /bin/findmnt > Full RELRO No canary found NX disabled PIE enabled > /bin/fuser > Full RELRO Canary found NX enabled PIE enabled > /bin/gawk > Full RELRO Canary found NX enabled PIE enabled > /bin/getfacl > Full RELRO Canary found NX enabled PIE enabled > /bin/getfattr > Full RELRO No canary found NX disabled PIE enabled > /bin/grep > Full RELRO No canary found NX disabled PIE enabled > /bin/groups > Full RELRO No canary found NX disabled PIE enabled > /bin/gzip > Full RELRO No canary found NX disabled PIE enabled > /bin/head > Full RELRO Canary found NX enabled PIE enabled > /bin/hostname > Full RELRO No canary found NX disabled PIE enabled > /bin/kill > Full RELRO No canary found NX disabled PIE enabled > /bin/ln > Full RELRO No canary found NX disabled PIE enabled > /bin/login > Full RELRO No canary found NX disabled PIE enabled > /bin/ls > Full RELRO No canary found NX disabled PIE enabled > /bin/lsblk > Full RELRO No canary found NX disabled PIE enabled > /bin/lsmod > Full RELRO Canary found NX enabled PIE enabled > /bin/mail > Full RELRO Canary found NX enabled PIE enabled > /bin/mbchk > Full RELRO No canary found NX disabled PIE enabled > /bin/mkdir > Full RELRO No canary found NX disabled PIE enabled > /bin/mkfifo > Full RELRO No canary found NX disabled PIE enabled > /bin/mknod > Full RELRO No canary found NX disabled PIE enabled > /bin/mktemp > Full RELRO No canary found NX disabled PIE enabled > /bin/more > Full RELRO No canary found NX disabled PIE enabled > /binmount > Full RELRO Canary found NX enabled PIE enabled > /bin/mountpoint > Full RELRO No canary found NX disabled PIE enabled > /bin/mv > Full RELRO No canary found NX disabled PIE enabled > /bin/nano > Full RELRO Canary found NX enabled PIE enabled > /bin/netstat > Full RELRO No canary found NX disabled PIE enabled > /binpasswd > Full RELRO Canary found NX enabled PIE enabled > /binping > Full RELRO Canary found NX enabled PIE enabled > /binping6 > Full RELRO No canary found NX disabled PIE enabled > /bin/ps > Full RELRO No canary found NX disabled PIE enabled > /bin/pwd > Full RELRO No canary found NX disabled PIE enabled > /bin/readlink > Full RELRO No canary found NX disabled PIE enabled > /bin/rm > Full RELRO No canary found NX disabled PIE enabled > /bin/rmdir > Full RELRO No canary found NX disabled PIE enabled > /bin/run-parts > Full RELRO No canary found NX disabled PIE enabled > /bin/sed > Full RELRO No canary found NX disabled PIE enabled > /bin/seq > Full RELRO Canary found NX enabled PIE enabled > /bin/setfacl > Full RELRO Canary found NX enabled PIE enabled > /bin/setfattr > Full RELRO No canary found NX disabled PIE enabled > /bin/sleep > Full RELRO No canary found NX disabled PIE enabled > /bin/sort > Full RELRO No canary found NX disabled PIE enabled > /bin/stty > Full RELRO No canary found NX disabled PIE enabled /binsu > Full RELRO No canary found NX disabled PIE enabled > /bin/sync > Full RELRO No canary found NX disabled PIE enabled > /bin/tail > Full RELRO No canary found NX disabled PIE enabled > /bin/tar > Full RELRO Canary found NX enabled PIE enabled > /bin/tcsh > Full RELRO No canary found NX disabled PIE enabled > /bin/tempfile > Full RELRO No canary found NX disabled PIE enabled > /bin/touch > Full RELRO No canary found NX disabled PIE enabled > /bin/tr > Full RELRO No canary found NX disabled PIE enabled > /bin/true > Full RELRO No canary found NX disabled PIE enabled > /bin/tty > Full RELRO No canary found NX disabled PIE enabled > /binumount > Full RELRO No canary found NX disabled PIE enabled > /bin/uname > Full RELRO No canary found NX disabled PIE enabled > /bin/vdir > Full RELRO No canary found NX disabled PIE enabled > /bin/wc > Full RELRO No canary found NX disabled PIE enabled > /bin/yes > Full RELRO Canary found NX enabled PIE enabled > /bin/zsh > Full RELRO Canary found NX enabled PIE enabled > /bin/zsh-4.3.12 > > > > [2] > > /usr/bin/emacs-23 > /usr/bin/gkrellm > /usr/bin/perl > /usr/bin/python2.7 > /usr/bin/spamc > /usr/bin/ssh > /usr/bin/sudo > /usr/bin/Terminal > /usr/bin/xchat > /usr/bin/xfce4-mixer > /usr/bin/xfce4-panel > /usr/bin/xfce4-session > /usr/bin/xfce4-session-logout > /usr/bin/xfconf-query > /usr/bin/xfdesktop > /usr/bin/Xorg > /usr/bin/xscreensaver > /usr/games/bin/enigma > /usr/lib64/courier/courier-authlib/authdaemond > /usr/lib64/xfce4/xfconf/xfconfd > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1 > /usr/libexec/git-core/git > /usr/libexec/polkitd > /usr/libexec/udisks-daemon > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin > /usr/sbin/collectd > /usr/sbin/console-kit-daemon > > > -- > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the > rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. > >
Hi there, What is the output of gcc-config -l ?You should see something like the following (versions will be different). [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp [5] x86_64-pc-linux-gnu-4.4.5-vanilla The asterisk will be next to the one you have selected, which in this case is the first in the list (it is hardened). Cheers -- M. Summers "...there are no rules here -- we're trying to accomplish something." - Thomas A. Edison
