LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-06-2016, 04:33 PM   #16
c0wb0y
Member
 
Registered: Jan 2012
Location: Inside the oven
Distribution: Windows
Posts: 417

Rep: Reputation: 74

Quote:
Originally Posted by pyrovortex View Post
I understand your concern unspawn but I can assure you that I am up to date ( software wise ) with all the security vulnerabilities that have been in the open till today.

Thanks
Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?
 
Old 10-06-2016, 07:19 PM   #17
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,898

Rep: Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506
Quote:
Originally Posted by c0wb0y View Post
Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?
One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.
 
Old 10-06-2016, 07:33 PM   #18
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,898

Rep: Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506
Quote:
Originally Posted by c0wb0y View Post
Sorry, but I'm not sure how you can get up-to-date if your base OS is long gone?
One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.

Last edited by jpollard; 10-06-2016 at 07:48 PM. Reason: btw apology
 
Old 10-07-2016, 10:30 AM   #19
pyrovortex
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Where did you get libcrypto.so.1.0.0?

That doesn't appear to be a version used by Fedora 16. On my system it is libcrypto.so.1.0.0j

The package install for sshd for Fedora 16 would include the package for libcrypto that has the appropriate security label.

What you have installed is either not properly labeled, or is the wrong package.

If you manually installed the library, you have to properly label it or it will not be used. I would almost bet the label type is either unknown, or not "lib_t". On my system (an archived Fedora 16) the full label is system_u:object_r:lib_t:s0
Hi,

libcrypto.so.1.0.0 on my box was from OpenSSL and the context on the file is same as yours "system_u:object_r:lib_t:s0".
But is it possible that Selinux recognizes a manually installed file and gives it a context ? I am under the impression that based on the directory, the underlying files get their contexts.


Thanks
 
Old 10-07-2016, 10:39 AM   #20
pyrovortex
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
One way is to update the libraries/utilities known to have vulnerabilities manually.

Which is what I suspect has happened in this case. Doing it manually is relatively easy (I used to do it all the time).

The one thing tricky is when SELinux is active. You also have to set the security label on the result.

The problem here is the "cannot enable executable stack". That should be a bug in the library (the executable stack is a flag in the ELF header for the library).

You can try installing the "execstack" package to see what is going on. You can try "execstack -c <library>" (this should clear the flag calling for an executable stack) and then try it out. I don't believe libcrypto is supposed to be using an executable stack, so I'm not sure how it would have gotten set. If clearing the flag causes sshd to fail then you have a buggy library.

You can find the manpage on execstack at https://linux.die.net/man/8/execstack and see what it does before installing it.

I think the package should be available in an archived repository, though you might have to look for one.

BTW, I apologize for missing the obvious. You clearly stated the problem, yet I missed it.

Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks
 
Old 10-07-2016, 08:30 PM   #21
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,898

Rep: Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506
Quote:
Originally Posted by pyrovortex View Post
Nailed it with the explanation. I am not sure how expressive I could be and so was trying hard to think about analogies.
I will try out the "execstack" based proposed solution and update you soon.

Thanks
You did fine. It was my error.
 
Old 12-29-2016, 09:38 AM   #22
pyrovortex
LQ Newbie
 
Registered: Sep 2016
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi All,

Thanks for chipping in.

Closing the thread.

Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSHD Alternative Port + selinux Sum1 CentOS 4 05-20-2016 06:32 AM
how do you know if selinux is enabled in SLES 11 redhatwannabe SUSE / openSUSE 2 03-20-2014 05:12 PM
FC8 sshd default configuration fails SeLinux john@ackley.net Linux - Software 1 12-29-2007 05:47 AM
how do i tell of selinux is enabled or not? sneakyimp Linux - Newbie 2 10-22-2007 07:13 PM
FollowSymLinks and SELinux enabled piforever Linux - Security 9 02-27-2006 10:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration