[grsec] paxctl does not work, why?

Ned Ludd solar at gentoo.org
Fri Aug 20 03:33:29 EDT 2004 

On Mon, 2004-08-16 at 08:53, Horváth Ákos wrote:
> paxctl does not anything on my system. I am using currently the latest stable 
> pax tools (v0.2), on a debian sarge with a vanilla 2.6.7 patched by 
> grsecurity. The symptom is the next:

Your /bin/init is probably lacking the PT_PAX_FLAGS program header.
Unless your binutils has been updated to support pax flag handing this
probably wont work for you. And then even if your binutils was patched
you would need to recompile most of your userland to support it which is
pretty uncommon thing for debian users to do. So at this point you 
should probably be using chpax vs the paxctl.

> 
> (/sbin/init- is an exact copy of the /sbin/init binary).
> 
> # paxctl -p -E -m -R -x -S /sbin/init-
> [root at maxx:~:14:50:13:519]
> # paxctl -v /sbin/init-
> PaX control v0.2
> Copyright 2004 PaX Team <pageexec at freemail.hu>
> 
> [root at maxx:~:14:50:19:520]
> # paxctl -P -e -M -r -X -s /sbin/init-
> [root at maxx:~:14:50:29:521]
> # paxctl -v /sbin/init-
> PaX control v0.2
> Copyright 2004 PaX Team <pageexec at freemail.hu>
> 
> [root at maxx:~:14:50:31:522]
> #
> 
> If I do a strace of paxctl, the it seems paxctl mmap()-s in the binary 
> correctly:
> 
> # strace paxctl -P -e -M -r -X -s /sbin/init-
> execve("/sbin/paxctl", ["paxctl", "-P", "-e", "-M", "-r", "-X", "-s", 
> "/sbin/init-"], [/* 34 vars */]) = 0
> uname({sys="Linux", node="maxx", ...})  = 0
> [...]
> munmap(0x40018000, 73745)               = 0
> open("/sbin/init-", O_RDONLY)           = 3
> mmap2(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40018000
> close(3)                                = 0
> munmap(0x40018000, 64)                  = 0
> open("/sbin/init-", O_RDWR)             = 3
> mmap2(NULL, 276, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0x40018000
> close(3)                                = 0
> exit_group(0)                           = ?
> [root at maxx:~:14:51:45:523]
> #
> 
> What could be the problem?
> 
> thank all
> 
> MaXX
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
-- 
Ned Ludd <solar at gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20040820/63bcd8f1/attachment.pgp

More information about the grsecurity mailing list