| 1 |
> I'm having problems with apache2+mod_php in an hardened environment. I'm |
| 2 |
> restricting mprotect() and disallowing ELF relocations. of course mysql |
| 3 |
> didn't start and apache2 didn't load the php module. |
| 4 |
> |
| 5 |
> mysql's problem was quickly fixed with a paxctl -m on 2 binaries. |
| 6 |
|
| 7 |
i think you can fix it 'properly' by removing the --enable-assembler |
| 8 |
from the ebuild. |
| 9 |
|
| 10 |
> mod_php's problem still lies unfixable. paxctl -m on libphp4.so doesn't fix |
| 11 |
> the problem and none of the libraries upon which libphp4.so depends on needs |
| 12 |
> to relocate ELF segments. (individually checked with scanelf -a). |
| 13 |
|
| 14 |
the PaX flags are effective on executables, not shared libraries, so |
| 15 |
for your case you'd have to paxctl apache (or whoever else loads that |
| 16 |
library). best fix is of course getting rid of the textrels in the |
| 17 |
shared lib. for some reason i recall this php issue, maybe there's |
| 18 |
already something in the gentoo bugzilla about it. |
| 19 |
|
| 20 |
-- |
| 21 |
gentoo-hardened@g.o mailing list |
Archives