LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-15-2012, 02:29 PM   #1
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Rep: Reputation: 17
execshield - what does it break


Hi,

I am considering enabling the kernel option called execshield (kernel.exec-shield = 2), on my servers but I wondered what software it may stop working.

i.e. ORACLE comes to mind, but also games...

Also is execshield superseded by a newer technology that provides the same security functionality ?

Cheers

Last edited by dazdaz; 12-15-2012 at 02:32 PM.
 
Old 12-16-2012, 09:57 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by dazdaz View Post
I wondered what software it may stop working.
What does this return?:
Code:
find ${PATH//:/ } -type f|while read ITEM; do
 file -i "${ITEM}" 2>/dev/null|grep -q 'application/x-executable' &&\
 { eu-readelf -l "${ITEM}" 2>/dev/null| grep -q "STACK.*RWE" && echo "${ITEM}"; }; done
 
1 members found this post helpful.
Old 12-16-2012, 12:54 PM   #3
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
I will run the command you posted tomorrow, in the meantime, could you explain some more about how to interpret the results.

If the output from eu-readelf matched 'STACK.*RWE', does that mean that the kernel feature exec-shield needs to be disabled (0), or changed from 2 to 1 ?

Code:
 eu-readelf /bin/ls -l | grep 'STACK.*RWE'

Also I don't understand how the kernel feature 'kernel.randomize_va_space = 2' is related to execshield.

Last edited by dazdaz; 12-16-2012 at 01:09 PM.
 
Old 12-17-2012, 03:14 AM   #4
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
Ok I ran the command, and it returned no results. Does that mean that it's safe to enable exec-shield with an option of 1 or 2 ? I still don't understand the difference between them.
 
Old 12-17-2012, 06:13 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by dazdaz View Post
Ok I ran the command, and it returned no results.
It means none of the binaries in your path require an executable stack.


Quote:
Originally Posted by dazdaz View Post
Does that mean that it's safe to enable exec-shield with an option of 1 or 2 ?
There is a small chance a binary wasn't compiled with a ".note.GNU-stack" section header, you could grep for its existence to be sure, otherwise the generic answer would be "yes".


Quote:
Originally Posted by dazdaz View Post
I still don't understand the difference between them.
See http://kerneltrap.org/node/644 and http://people.redhat.com/mingo/exec-...Execshield.pdf. Modern distributions set it to "2" AFAIK.


Quote:
Originally Posted by dazdaz View Post
Also I don't understand how the kernel feature 'kernel.randomize_va_space = 2' is related to execshield.
Simly put they both provide randomization. See http://www.win.tue.nl/~aeb/linux/hh/protection.html and 'grep "randomize_va_space:" Documentation/sysctl/kernel.txt -A30;'.


Quote:
Originally Posted by dazdaz
Also is execshield superseded by a newer technology that provides the same security functionality ?
Maybe first read http://en.wikipedia.org/wiki/NX_bit ?
 
1 members found this post helpful.
Old 12-17-2012, 02:23 PM   #6
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
Thanks for the information, I found this very helpful !

Is there a list of known applications that require an executable stack ?
 
Old 12-27-2012, 09:29 AM   #7
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
Thanks again unSpawn, much appreciated.

One question has arisen, which I can't find from a quick 5 minute search.

When kernel.exec-shield = 2, how do I disable the application bits ? I presume that this is not referring to using the chmod command, but something else, and there is a value/field that can be changed.

Last edited by dazdaz; 12-27-2012 at 09:51 AM.
 
Old 12-27-2012, 05:31 PM   #8
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
I believe that execshield(8) from the prelink package answers my question.

# This finds all the .so files (normally links to shared libraries), and queries the execstack state.
find . -name \*.so -exec execstack -q {} \;

# Mark binary or shared library as *not* requiring an executable stack.
execstack -c /usr/lib/libxvidcore.so*

# Mark binary or shared library as requiring executable stack.
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
 
1 members found this post helpful.
Old 12-28-2012, 06:31 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by dazdaz View Post
Is there a list of known applications that require an executable stack ?
Not that I know of.

And well done for answering your own questions BTW ;-p
 
Old 12-28-2012, 08:05 AM   #10
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
Although I have theoretically answered my own question, it seems that in practise I have not, let's examine this because execstack is not functioning how I had thought/expected.

Is there another tool that I should be using to change the 'application bits' ?

## A value of 2 enables them by default, except if the application bits are set to “disable”.

Using execstack, I can't seem to disable the application bits, and that's where i'm getting lost.

# echo 2 > /proc/sys/kernel/exec-shield

# cp /bin/ls .
# execstack -q ./ls
- ./ls

# execstack -s ./ls
# execstack -q ./ls
X ./ls

## Command still executes
# ./ls
anaconda-ks.cfg index.html install.log.syslog lsexec setup_routes

# execstack -c ./ls
# ./ls
anaconda-ks.cfg index.html install.log.syslog lsexec setup_routes

Last edited by dazdaz; 12-28-2012 at 08:07 AM.
 
Old 12-28-2012, 09:34 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Hmm. I think you need an executable or library that actually requires the executable stack flag to be set to test it. I mean it's got to actually violate the rule by trying to execute instructions on the stack. Didn't work for me though so I'll have to figure out why next year.
 
Old 12-28-2012, 06:07 PM   #12
dazdaz
Member
 
Registered: Aug 2003
Location: Europe
Distribution: RHEL 6.x, 5.x, Fedora 20, Kubuntu 12.04, Solaris 10,8
Posts: 321

Original Poster
Rep: Reputation: 17
I am using a virtualisation layer (VMware 4.1), I wonder if that would change the behaviour...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Break-in? landysaccount Linux - Security 2 10-10-2010 10:44 PM
break: cannot break karlochacon Linux - Newbie 1 05-06-2010 07:25 PM
Possible Break In??? stlyz3 Linux - Security 9 10-26-2005 03:43 PM
How does it all break down? Bu3Nix Slackware - Installation 5 09-15-2005 03:50 PM
Could someone please break it down for me...? Pwcca Slackware 6 01-23-2003 11:05 AM


All times are GMT -5. The time now is 04:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration