LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-01-2007, 12:01 PM   #1
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Rep: Reputation: 15
PAX protection


hi,

I've built the vanilla with the GRSecurity patch many times in the past,
nowadays the last stable and testing patch,
with the same "custom" configuration I'm used to choose,
seem not to really apply PAX protections: OpenOffice starts,
this means the stack is executable as also paxtest output put in evidence!

Please, i don't know what to do, internet is not really helpful about this
problem.


deadlinx
 
Old 06-01-2007, 02:36 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
can you post your .config from the build? if you can post it as a link and not in the code box. Its a big file to code box
 
Old 06-02-2007, 06:04 AM   #3
deadlinx
Member
 
Registered: Feb 2006
Location: Italy
Distribution: Ubuntu FreeBSD
Posts: 92

Original Poster
Rep: Reputation: 15
Hi,


The .config, the part inherent to PAX and GRSecurity is
avalilable in this post:
http://forums.grsecurity.net/viewtopic.php?t=1745

It's not my post but it includes the same .config I have
and the "writer" has the same PAX problem I have with the
same 2.6.19.2 patch.

I'm used to apply, successfully, this patch
so I know how to configure it, I used the official documentation,
so it's probably a bug and not a kernel misconfiguration;
in the past PAX has always been working as paxtest reveals,
in fact all programs needing an executable stack needed tuning
for working.


I found the problem also in the last "test patch".
Testing code is not stable, so it's normal it could be buggy,
but a soo big bug in a "security kernel patch",
released since months it's surely a serious problem.

It's paradoxical: you want to increase security,
you use a security stable patch and you rebuild the kernel
and all external driver (boring work on a desktop)
then you get a no-protected kernel,
quite frustrating, don't you?

Changing configuration increasing GRsecurity level to custom
and tuning manually, gives me a kernel oops on reboot :-/

There's also SElinux, but it's not well supported in Feisty and
if you choose tuning like removing upstart and so on you'll get
problem anyway as I read.

Apparmor is not secure as GRSecurity and it gives some installing problems yet.


The only serious alternative is RSBAC, but it's too hard for
a desktop and it takes me too much time in configuring, at this
moment I only have basic protection :-/




deadlinx
 
Old 06-08-2007, 04:02 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Just to note http://forums.grsecurity.net/viewtopic.php?t=1745 got an immediate response from the PAX team which tells you to look at http://forums.grsecurity.net/viewtopic.php?t=1647.


Quote:
so I know how to configure it, I used the official documentation,
so it's probably a bug and not a kernel misconfiguration;
If you correctly determined it's a bug then you should have the GRSecurity developer confirm it.
 
Old 06-08-2007, 04:51 AM   #5
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Also have you verifed that every line of your pax and grsecurity kernel config is exact with the one on the page. The reason people ask for the stuff is so we can see if you might have missed something and saying "This is the same as mine" is not the same as saying "This is mine".

I am running the 2.6.19.2 on one of my machines and the 2.6.21.3 on 2 other machines of mine and pax is working fine.

Please post the pax and grsecurity section of the .config file so we can see it.

Last edited by slimm609; 06-08-2007 at 04:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAX archive file size limit simdol Linux - Software 1 10-23-2006 12:12 PM
KernelHang : PAX and Highmem connection kingkhan2006 Linux - Security 1 09-04-2006 07:42 PM
PROPOSAL: glibc with --noexec (new binary breaks PaX) gian2oo1 Slackware 2 01-31-2006 03:08 PM
OpenBSD vs Linux+PaX+SSP+RSBAC jakaro *BSD 3 06-23-2005 08:05 PM
Excluding a file when using pax tobycatlin Linux - General 9 04-28-2005 12:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration