On Tue, Jun 23, 2020 at 10:39:26AM -0700, Christian Kujau wrote: > Hi, > > exactly this[0] happened today, on a 5.6.5 kernel: > > process '/usr/bin/rsync' started with executable stack > > But I can't reproduce this message, and rsync (v3.2.0, not exactly > abandonware) runs several times a day, so to repeat Andrew's questions[0] > from last year: > > > What are poor users supposed to do if this message comes out? > > Hopefully google the message and end up at this thread. What do you > > want to tell them? > > Also, the PID is missing from that message.
That's intentional. I for one hate pids. > I had some long running rsync > processes running earlier, maybe the RWE status would have been visible in > /proc/$PID/map, or somewhere else maybe? If you think process is still running, /proc/*/maps should have 'rwxp' indeed. You can do quick $ grep -e '\[stack\]' /proc/*/maps' to find it. > $ checksec --format=json --extended --file=`which rsync` | jq > { > "/usr/bin/rsync": { > "relro": "full", > "canary": "yes", > "nx": "no", > "pie": "yes", > "clangcfi": "no", > "safestack": "no", > "rpath": "no", > "runpath": "no", > "symbols": "no", > "fortify_source": "yes", > "fortified": "10", > "fortify-able": "19" > } > } $ readelf -l /usr/bin/rsync | grep GNU_STACK -A1 GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 0x10