Announcing security hardened kernels for testing

John Richard Moser nigelenki at
Fri Jan 7 11:42:32 CST 2005

Hash: SHA1

Mike Hearn wrote:
| On Tue, 04 Jan 2005 18:49:53 -0200, Gustavo Franco wrote:
|>I'm not sure that recent bug fixing on wine changed the situation
|>about PaX,  i'm not using it now. About PaX and exec-shield different
|>approaches i recommend this debian-devel thread:
| I see. It's quite clear from the PaX authors comments that he doesn't
| consider backwards compatibility to be important at all, which probably
| makes these patches nearly unsupportable in Wine. I hope it's not
| integrated with any mainstream distribution (of course if you want to run
| "Hardened Ubuntu" then great, pick your poison :)

There's very little that's actually affected.  There are ways to mark
binaries to not be controlled by PaX, to support them until they can be

PaX is better at emulating an NX bit on 32 bit architectures than Exec
Shield, and doesn't have any live exploits that I'm aware of (spender
has at least one for ES, but he sold it to a security firm).

The list of things that break is very short.  There's a cryptic
configuration file somewhere. . .

The section of that about execstack is because Debian's glibc and kernel
don't ignore PT_GNU_STACK like they should, and so they complain when
they can't mprotect() crap on load, i.e. stack -> PROT_EXEC | PROT_WRITE.

Pretty self explanitory to any hacker.  Just need to be able to read
bash and make the logical connection between the table at the top and
the EXEMPT settings at the bottom.  The script is pax-mark in the same

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the ubuntu-devel mailing list