| 1 |
On Sunday 15 May 2005 23:53, pageexec@××××××××.hu wrote: |
| 2 |
> > I'm having problems with apache2+mod_php in an hardened environment. I'm |
| 3 |
> > restricting mprotect() and disallowing ELF relocations. of course mysql |
| 4 |
> > didn't start and apache2 didn't load the php module. |
| 5 |
> > |
| 6 |
> > mysql's problem was quickly fixed with a paxctl -m on 2 binaries. |
| 7 |
> |
| 8 |
> i think you can fix it 'properly' by removing the --enable-assembler |
| 9 |
> from the ebuild. |
| 10 |
|
| 11 |
hmm interesting. if this change doesn't break anything else, shouldn't it be |
| 12 |
default on the ebuild? maybe it implies some performance issues... |
| 13 |
|
| 14 |
> |
| 15 |
> > mod_php's problem still lies unfixable. paxctl -m on libphp4.so doesn't |
| 16 |
> > fix the problem and none of the libraries upon which libphp4.so depends |
| 17 |
> > on needs to relocate ELF segments. (individually checked with scanelf |
| 18 |
> > -a). |
| 19 |
> |
| 20 |
> the PaX flags are effective on executables, not shared libraries, so |
| 21 |
> for your case you'd have to paxctl apache (or whoever else loads that |
| 22 |
> library). best fix is of course getting rid of the textrels in the |
| 23 |
> shared lib. for some reason i recall this php issue, maybe there's |
| 24 |
> already something in the gentoo bugzilla about it. |
| 25 |
|
| 26 |
interesting too. thanks for the information. I wouldn't be happy to paxctl -m |
| 27 |
httpd. webservers are common points of breakins. |
| 28 |
|
| 29 |
regards, |
| 30 |
pedro venda. |
| 31 |
-- |
| 32 |
|
| 33 |
Pedro João Lopes Venda |
| 34 |
email: pjvenda < at > arrakis.dhis.org |
| 35 |
http://arrakis.dhis.org |
Archives