Announcing security hardened kernels for testing
John Richard Moser
nigelenki at comcast.net
Fri Jan 7 11:42:32 CST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Hearn wrote:
| On Tue, 04 Jan 2005 18:49:53 -0200, Gustavo Franco wrote:
|
|>I'm not sure that recent bug fixing on wine changed the situation
|>about PaX, i'm not using it now. About PaX and exec-shield different
|>approaches i recommend this debian-devel thread:
|>http://lists.debian.org/debian-devel/2003/11/msg00206.html
|
|
| I see. It's quite clear from the PaX authors comments that he doesn't
| consider backwards compatibility to be important at all, which probably
| makes these patches nearly unsupportable in Wine. I hope it's not
| integrated with any mainstream distribution (of course if you want to run
| "Hardened Ubuntu" then great, pick your poison :)
|
|
There's very little that's actually affected. There are ways to mark
binaries to not be controlled by PaX, to support them until they can be
rewritten.
PaX is better at emulating an NX bit on 32 bit architectures than Exec
Shield, and doesn't have any live exploits that I'm aware of (spender
has at least one for ES, but he sold it to a security firm).
The list of things that break is very short. There's a cryptic
configuration file somewhere. . .
http://d-sbd.alioth.debian.org/www/pax/pax.conf
The section of that about execstack is because Debian's glibc and kernel
don't ignore PT_GNU_STACK like they should, and so they complain when
they can't mprotect() crap on load, i.e. stack -> PROT_EXEC | PROT_WRITE.
Pretty self explanitory to any hacker. Just need to be able to read
bash and make the logical connection between the table at the top and
the EXEMPT settings at the bottom. The script is pax-mark in the same
directory.
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3soHhDd4aOud5P8RAmVAAJ9wR0uBeD2BzByRyTBYVfPZGq5vAQCfZkba
kk3wD/Dnx34rLYRh8f6py3s=
=6H1H
-----END PGP SIGNATURE-----
More information about the ubuntu-devel
mailing list