1 |
> I'm having problems with apache2+mod_php in an hardened environment. I'm |
2 |
> restricting mprotect() and disallowing ELF relocations. of course mysql |
3 |
> didn't start and apache2 didn't load the php module. |
4 |
> |
5 |
> mysql's problem was quickly fixed with a paxctl -m on 2 binaries. |
6 |
|
7 |
i think you can fix it 'properly' by removing the --enable-assembler |
8 |
from the ebuild. |
9 |
|
10 |
> mod_php's problem still lies unfixable. paxctl -m on libphp4.so doesn't fix |
11 |
> the problem and none of the libraries upon which libphp4.so depends on needs |
12 |
> to relocate ELF segments. (individually checked with scanelf -a). |
13 |
|
14 |
the PaX flags are effective on executables, not shared libraries, so |
15 |
for your case you'd have to paxctl apache (or whoever else loads that |
16 |
library). best fix is of course getting rid of the textrels in the |
17 |
shared lib. for some reason i recall this php issue, maybe there's |
18 |
already something in the gentoo bugzilla about it. |
19 |
|
20 |
-- |
21 |
gentoo-hardened@g.o mailing list |