Announcing security hardened kernels for testing

[John Richard Moser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Markus Kolb wrote:
| Martin Pitt wrote on Tue, Jan 04, 2005 at 16:16:55 +0100:
|
|>Hello to all security addicts out there!
|
|
| [...]
|
|> - Some programs (most notably X.org and OpenOffice.org) still rely on
|>   executing writeable memory, so the PaX protection has to be
|>   disabled for them. You have to install the "chpax" package and
|>   execute the following commands before everything will work:
|>
|
|
| Any ideas how long the list of "some" programs might be?
|
| I could get bad experience some time ago.
|

The list of things that break is very short.  There's a cryptic
configuration file somewhere. . .

http://d-sbd.alioth.debian.org/www/pax/pax.conf

The section of that about execstack is because Debian's glibc and kernel
don't ignore PT_GNU_STACK like they should, and so they complain when
they can't mprotect() crap on load, i.e. stack -> PROT_EXEC | PROT_WRITE.

Pretty self explanitory to any hacker.  Just need to be able to read
bash and make the logical connection between the table at the top and
the EXEMPT settings at the bottom.  The script is pax-mark in the same
directory.


It's a policy change, so things are gonna break.  Suddenly doors are
locked that weren't locked before, and people are grabbing the knob and
walking face first into them :)

| Markus
|

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3spghDd4aOud5P8RAmcUAJ9AqwxLRXOSBn3KA3maJMYenvyy+ACffdeX
RAnN1UMghIDpkV9yRQCQcXQ=
=kf4H
-----END PGP SIGNATURE-----