Announcing security hardened kernels for testing
John Richard Moser
nigelenki at comcast.net
Fri Jan 7 11:44:01 CST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Markus Kolb wrote:
| Martin Pitt wrote on Tue, Jan 04, 2005 at 16:16:55 +0100:
|>Hello to all security addicts out there!
|> - Some programs (most notably X.org and OpenOffice.org) still rely on
|> executing writeable memory, so the PaX protection has to be
|> disabled for them. You have to install the "chpax" package and
|> execute the following commands before everything will work:
| Any ideas how long the list of "some" programs might be?
| I could get bad experience some time ago.
The list of things that break is very short. There's a cryptic
configuration file somewhere. . .
The section of that about execstack is because Debian's glibc and kernel
don't ignore PT_GNU_STACK like they should, and so they complain when
they can't mprotect() crap on load, i.e. stack -> PROT_EXEC | PROT_WRITE.
Pretty self explanitory to any hacker. Just need to be able to read
bash and make the logical connection between the table at the top and
the EXEMPT settings at the bottom. The script is pax-mark in the same
It's a policy change, so things are gonna break. Suddenly doors are
locked that weren't locked before, and people are grabbing the knob and
walking face first into them :)
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-devel