[grsec] Debian, chpax and package upgrades
Barry.Schwartz at chemoelectric.org
Barry.Schwartz at chemoelectric.org
Wed Jan 5 11:50:19 EST 2005
Christian Jaeger <christian.jaeger at ethlife.ethz.ch> wrote:
> I'm using Debian, and since I don't want to recompile libc etc. now
> (since I think (never tried) that's too complicated to handle for a
> larger number of (virtual root-)hosts from which many aren't
> administrated by me)), I'm still using chpax. This is working fine,
> but it is tedious to chpax binaries again if packages are being
> upgraded (and explaining the other admins how to do it is tedious as
> well). So I'd like to have a scheme where after a package upgrade,
> some callback script is run (either only for packages in some local
> list of pax-sensitive packages, or for all packages but with an
> argument mentioning the package name).
>
> Any ideas? (or tips where to ask?)
Gentoo has an "init" script called "chpax" that doesn't really
initialize anything, it just sets PaX flags using either or both of
chpax or paxctl for programs that need it. You could do something
like that for Debian. (An actual Gentoo init script wouldn't be
compatible with Debian.)
It doesn't actually have to be an init script. The basic idea is to
put all your PaX flag changes in a script you can just run. It
changes all settings throughout the system, but that doesn't take too
long.
--
Barry.Schwartz at chemoelectric.org http://www.chemoelectric.org
"I have directed that in the future I sign each letter." -- Rumsfeld
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050105/7dc6c5b6/attachment.pgp
More information about the grsecurity
mailing list