LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   execshield - what does it break (http://www.linuxquestions.org/questions/linux-security-4/execshield-what-does-it-break-4175441586/)

dazdaz 12-15-2012 02:29 PM

execshield - what does it break
 
Hi,

I am considering enabling the kernel option called execshield (kernel.exec-shield = 2), on my servers but I wondered what software it may stop working.

i.e. ORACLE comes to mind, but also games...

Also is execshield superseded by a newer technology that provides the same security functionality ?

Cheers

unSpawn 12-16-2012 09:57 AM

Quote:

Originally Posted by dazdaz (Post 4849992)
I wondered what software it may stop working.

What does this return?:
Code:

find ${PATH//:/ } -type f|while read ITEM; do
 file -i "${ITEM}" 2>/dev/null|grep -q 'application/x-executable' &&\
 { eu-readelf -l "${ITEM}" 2>/dev/null| grep -q "STACK.*RWE" && echo "${ITEM}"; }; done


dazdaz 12-16-2012 12:54 PM

I will run the command you posted tomorrow, in the meantime, could you explain some more about how to interpret the results.

If the output from eu-readelf matched 'STACK.*RWE', does that mean that the kernel feature exec-shield needs to be disabled (0), or changed from 2 to 1 ?

Code:

eu-readelf /bin/ls -l | grep 'STACK.*RWE'

Also I don't understand how the kernel feature 'kernel.randomize_va_space = 2' is related to execshield.

dazdaz 12-17-2012 03:14 AM

Ok I ran the command, and it returned no results. Does that mean that it's safe to enable exec-shield with an option of 1 or 2 ? I still don't understand the difference between them.

unSpawn 12-17-2012 06:13 AM

Quote:

Originally Posted by dazdaz (Post 4850740)
Ok I ran the command, and it returned no results.

It means none of the binaries in your path require an executable stack.


Quote:

Originally Posted by dazdaz (Post 4850740)
Does that mean that it's safe to enable exec-shield with an option of 1 or 2 ?

There is a small chance a binary wasn't compiled with a ".note.GNU-stack" section header, you could grep for its existence to be sure, otherwise the generic answer would be "yes".


Quote:

Originally Posted by dazdaz (Post 4850740)
I still don't understand the difference between them.

See http://kerneltrap.org/node/644 and http://people.redhat.com/mingo/exec-...Execshield.pdf. Modern distributions set it to "2" AFAIK.


Quote:

Originally Posted by dazdaz (Post 4850466)
Also I don't understand how the kernel feature 'kernel.randomize_va_space = 2' is related to execshield.

Simly put they both provide randomization. See http://www.win.tue.nl/~aeb/linux/hh/protection.html and 'grep "randomize_va_space:" Documentation/sysctl/kernel.txt -A30;'.


Quote:

Originally Posted by dazdaz
Also is execshield superseded by a newer technology that provides the same security functionality ?

Maybe first read http://en.wikipedia.org/wiki/NX_bit ?

dazdaz 12-17-2012 02:23 PM

Thanks for the information, I found this very helpful !

Is there a list of known applications that require an executable stack ?

dazdaz 12-27-2012 09:29 AM

Thanks again unSpawn, much appreciated.

One question has arisen, which I can't find from a quick 5 minute search.

When kernel.exec-shield = 2, how do I disable the application bits ? I presume that this is not referring to using the chmod command, but something else, and there is a value/field that can be changed.

dazdaz 12-27-2012 05:31 PM

I believe that execshield(8) from the prelink package answers my question.

# This finds all the .so files (normally links to shared libraries), and queries the execstack state.
find . -name \*.so -exec execstack -q {} \;

# Mark binary or shared library as *not* requiring an executable stack.
execstack -c /usr/lib/libxvidcore.so*

# Mark binary or shared library as requiring executable stack.
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8

unSpawn 12-28-2012 06:31 AM

Quote:

Originally Posted by dazdaz (Post 4851099)
Is there a list of known applications that require an executable stack ?

Not that I know of.

And well done for answering your own questions BTW ;-p

dazdaz 12-28-2012 08:05 AM

Although I have theoretically answered my own question, it seems that in practise I have not, let's examine this because execstack is not functioning how I had thought/expected.

Is there another tool that I should be using to change the 'application bits' ?

## A value of 2 enables them by default, except if the application bits are set to “disable”.

Using execstack, I can't seem to disable the application bits, and that's where i'm getting lost.

# echo 2 > /proc/sys/kernel/exec-shield

# cp /bin/ls .
# execstack -q ./ls
- ./ls

# execstack -s ./ls
# execstack -q ./ls
X ./ls

## Command still executes
# ./ls
anaconda-ks.cfg index.html install.log.syslog lsexec setup_routes

# execstack -c ./ls
# ./ls
anaconda-ks.cfg index.html install.log.syslog lsexec setup_routes

unSpawn 12-28-2012 09:34 AM

Hmm. I think you need an executable or library that actually requires the executable stack flag to be set to test it. I mean it's got to actually violate the rule by trying to execute instructions on the stack. Didn't work for me though so I'll have to figure out why next year.

dazdaz 12-28-2012 06:07 PM

I am using a virtualisation layer (VMware 4.1), I wonder if that would change the behaviour...


All times are GMT -5. The time now is 11:14 AM.