0.2 Roadmap

Sebastian Faulborn sfaulborn at web.de
Wed Jul 26 09:59:47 PDT 2006


>> Also don't forget to also add chpax (or at least mention it somewhere in the
>> book!). It's needed when you want to change PAX settings for precompiled
>> binaries which don't use the new PAX style ELF headers (eg. Java,
>> precompiled MySQL, etc.)
>
>Paxctl is in chapter 6. It's the last package, after udev. It gets run on 
>grub.

The paxctl man page says:

CAVEATS
       The  old  PaX flag location and control method have been obsoleted, 
       if your kernel and binaries use it you have to use chpax(1) instead.

As far as I understand it, this means that chpax and paxctl operate on different
headers and are not the same (ie. paxctl is NOT the new version of chpax).

eg:
--------------------------------------------------------------------------------
root at sslinux:/tmp/j2sdk1.4.2_12/bin# ./java
Killed
root at sslinux:/tmp/j2sdk1.4.2_12/bin# paxctl -m ./java
file ./java does not have a PT_PAX_FLAGS program header
root at sslinux:/tmp/j2sdk1.4.2_12/bin# ./java
Killed
root at sslinux:/tmp/j2sdk1.4.2_12/bin# chpax -m ./java
root at sslinux:/tmp/j2sdk1.4.2_12/bin# ./java
Usage: java [-options] class [args...]
           (to execute a class)
   or  java [-options] -jar jarfile [args...]
           (to execute a jar file)
...
    -esa | -enablesystemassertions
                  enable system assertions
    -dsa | -disablesystemassertions
                  disable system assertions
--------------------------------------------------------------------------------

As can be seen, paxctl complains about missing PT_PAX_FLAGS and cannot set -m.
Chpax can set -m and java executes afterwards.

For the same reason it is important to set both the old AND new header types
in the PAX settings in the kernel so that both kinds are supported (as
recommended in the GRSecurity/PAX quickstart). When 
programs are compiled on HLFS, the new kind of headers will always be used.

So I think one should at least put a note in the book telling about precompiled
binaries and chpax. Note: PAX works on precompiled binaries in the same way
as on self compiled ones. Its just SSP which is missing. So binaries are still
protected by PAX/GRSecurity.

Sebastian Faulborn
Homepage: http://www.secure-slinux.org








More information about the hlfs-dev mailing list