1 |
On Sunday 15 May 2005 23:53, pageexec@××××××××.hu wrote: |
2 |
> > I'm having problems with apache2+mod_php in an hardened environment. I'm |
3 |
> > restricting mprotect() and disallowing ELF relocations. of course mysql |
4 |
> > didn't start and apache2 didn't load the php module. |
5 |
> > |
6 |
> > mysql's problem was quickly fixed with a paxctl -m on 2 binaries. |
7 |
> |
8 |
> i think you can fix it 'properly' by removing the --enable-assembler |
9 |
> from the ebuild. |
10 |
|
11 |
hmm interesting. if this change doesn't break anything else, shouldn't it be |
12 |
default on the ebuild? maybe it implies some performance issues... |
13 |
|
14 |
> |
15 |
> > mod_php's problem still lies unfixable. paxctl -m on libphp4.so doesn't |
16 |
> > fix the problem and none of the libraries upon which libphp4.so depends |
17 |
> > on needs to relocate ELF segments. (individually checked with scanelf |
18 |
> > -a). |
19 |
> |
20 |
> the PaX flags are effective on executables, not shared libraries, so |
21 |
> for your case you'd have to paxctl apache (or whoever else loads that |
22 |
> library). best fix is of course getting rid of the textrels in the |
23 |
> shared lib. for some reason i recall this php issue, maybe there's |
24 |
> already something in the gentoo bugzilla about it. |
25 |
|
26 |
interesting too. thanks for the information. I wouldn't be happy to paxctl -m |
27 |
httpd. webservers are common points of breakins. |
28 |
|
29 |
regards, |
30 |
pedro venda. |
31 |
-- |
32 |
|
33 |
Pedro João Lopes Venda |
34 |
email: pjvenda < at > arrakis.dhis.org |
35 |
http://arrakis.dhis.org |