Announcing security hardened kernels for testing

John Richard Moser nigelenki at
Fri Jan 7 11:44:01 CST 2005

Hash: SHA1

Markus Kolb wrote:
| Martin Pitt wrote on Tue, Jan 04, 2005 at 16:16:55 +0100:
|>Hello to all security addicts out there!
| [...]
|> - Some programs (most notably and still rely on
|>   executing writeable memory, so the PaX protection has to be
|>   disabled for them. You have to install the "chpax" package and
|>   execute the following commands before everything will work:
| Any ideas how long the list of "some" programs might be?
| I could get bad experience some time ago.

The list of things that break is very short.  There's a cryptic
configuration file somewhere. . .

The section of that about execstack is because Debian's glibc and kernel
don't ignore PT_GNU_STACK like they should, and so they complain when
they can't mprotect() crap on load, i.e. stack -> PROT_EXEC | PROT_WRITE.

Pretty self explanitory to any hacker.  Just need to be able to read
bash and make the logical connection between the table at the top and
the EXEMPT settings at the bottom.  The script is pax-mark in the same

It's a policy change, so things are gonna break.  Suddenly doors are
locked that weren't locked before, and people are grabbing the knob and
walking face first into them :)

| Markus

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the ubuntu-devel mailing list