0.2 Roadmap

Wed, 26 Jul 2006 10:00:38 -0700 



Also don't forget to also add chpax (or at least mention it somewhere in the
book!). It's needed when you want to change PAX settings for precompiled
binaries which don't use the new PAX style ELF headers (eg. Java,
precompiled MySQL, etc.)



Paxctl is in chapter 6. It's the last package, after udev. It gets run on 
grub.


The paxctl man page says:

CAVEATS

      The  old  PaX flag location and control method have been obsoleted, 
      if your kernel and binaries use it you have to use chpax(1) instead.


As far as I understand it, this means that chpax and paxctl operate on different
headers and are not the same (ie. paxctl is NOT the new version of chpax).

eg:
--------------------------------------------------------------------------------
[EMAIL PROTECTED]:/tmp/j2sdk1.4.2_12/bin# ./java
Killed
[EMAIL PROTECTED]:/tmp/j2sdk1.4.2_12/bin# paxctl -m ./java
file ./java does not have a PT_PAX_FLAGS program header
[EMAIL PROTECTED]:/tmp/j2sdk1.4.2_12/bin# ./java
Killed
[EMAIL PROTECTED]:/tmp/j2sdk1.4.2_12/bin# chpax -m ./java
[EMAIL PROTECTED]:/tmp/j2sdk1.4.2_12/bin# ./java
Usage: java [-options] class [args...]
          (to execute a class)
  or  java [-options] -jar jarfile [args...]
          (to execute a jar file)
...
   -esa | -enablesystemassertions
                 enable system assertions
   -dsa | -disablesystemassertions
                 disable system assertions
--------------------------------------------------------------------------------

As can be seen, paxctl complains about missing PT_PAX_FLAGS and cannot set -m.
Chpax can set -m and java executes afterwards.

For the same reason it is important to set both the old AND new header types
in the PAX settings in the kernel so that both kinds are supported (as

recommended in the GRSecurity/PAX quickstart). When 
programs are compiled on HLFS, the new kind of headers will always be used.


So I think one should at least put a note in the book telling about precompiled
binaries and chpax. Note: PAX works on precompiled binaries in the same way
as on self compiled ones. Its just SSP which is missing. So binaries are still
protected by PAX/GRSecurity.

Sebastian Faulborn
Homepage: http://www.secure-slinux.org





--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page






















					Reply via email to