| 1 |
On Mon, 2005-10-24 at 15:47 +0200, pageexec@××××××××.hu wrote: |
| 2 |
> On 23 Oct 2005 at 21:42, Antoine Martin wrote: |
| 3 |
> |
| 4 |
> ok, so this is the story of the textrelocs in libmysqlclient: |
| 5 |
> |
| 6 |
> > open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3 |
| 7 |
> > mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, |
| 8 |
> > 0) = 0xb7d24000 |
| 9 |
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0 |
| 10 |
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES |
| 11 |
> > (Permission denied) |
| 12 |
> |
| 13 |
> this is either PaX (if you have NOELFRELOCS on) or SELinux, |
| 14 |
> i think they call it execmem or something like that. |
| 15 |
Yes, I started this thread and CCed the SELinux list. |
| 16 |
I can make this work by allowing postfix to execmem all shlibs. |
| 17 |
ie for all the postfix domains: |
| 18 |
allow postfix_{domain}_t shlib_t:file execmod; |
| 19 |
|
| 20 |
But this is not the right way to do it, I admit this is only a very tiny |
| 21 |
security risk, but I would much rather figure out a way to fix the |
| 22 |
library to not require execmod. No other library requires it, and the |
| 23 |
previous version of mysql I was using (4.0) didn't either. |
| 24 |
|
| 25 |
> what do 'scanelf -T /usr/lib/libmysqlclient.so.14' or |
| 26 |
> 'eu-findtextrel /usr/lib/libmysqlclient.so.14' |
| 27 |
> say (it can't be 'nothing' for sure ;-)? eu-findtexrel |
| 28 |
> is in dev-libs/elfutils. |
| 29 |
# scanelf -T /usr/lib/libmysqlclient.so.14 |
| 30 |
TYPE TEXTRELS FILE |
| 31 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD5C] in |
| 32 |
DES_encrypt3 [0xDACD0] |
| 33 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD70] in |
| 34 |
DES_encrypt3 [0xDACD0] |
| 35 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD84] in |
| 36 |
DES_encrypt3 [0xDACD0] |
| 37 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAE8C] in |
| 38 |
DES_decrypt3 [0xDAE00] |
| 39 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEA0] in |
| 40 |
DES_decrypt3 [0xDAE00] |
| 41 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEB4] in |
| 42 |
DES_decrypt3 [0xDAE00] |
| 43 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAF82] in |
| 44 |
DES_ncbc_encrypt [0xDAF30] |
| 45 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAFEA] in |
| 46 |
DES_ncbc_encrypt [0xDAF30] |
| 47 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB01B] in |
| 48 |
DES_ncbc_encrypt [0xDAF30] |
| 49 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB067] in |
| 50 |
DES_ncbc_encrypt [0xDAF30] |
| 51 |
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB14B] in |
| 52 |
DES_ede3_cbc_encrypt [0xDB0F0] |
| 53 |
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB1B3] in |
| 54 |
DES_ede3_cbc_encrypt [0xDB0F0] |
| 55 |
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB1EB] in |
| 56 |
DES_ede3_cbc_encrypt [0xDB0F0] |
| 57 |
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB237] in |
| 58 |
DES_ede3_cbc_encrypt [0xDB0F0] |
| 59 |
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD461] in |
| 60 |
RC5_32_cbc_encrypt [0xDD410] |
| 61 |
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD4C9] in |
| 62 |
RC5_32_cbc_encrypt [0xDD410] |
| 63 |
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD4FB] in |
| 64 |
RC5_32_cbc_encrypt [0xDD410] |
| 65 |
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD547] in |
| 66 |
RC5_32_cbc_encrypt [0xDD410] |
| 67 |
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFB45] in |
| 68 |
BF_cbc_encrypt [0xDFAF0] |
| 69 |
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFBB5] in |
| 70 |
BF_cbc_encrypt [0xDFAF0] |
| 71 |
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFBEF] in |
| 72 |
BF_cbc_encrypt [0xDFAF0] |
| 73 |
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFC43] in |
| 74 |
BF_cbc_encrypt [0xDFAF0] |
| 75 |
ET_DYN /usr/lib/libmysqlclient.so.14 |
| 76 |
|
| 77 |
Hope this helps... |
| 78 |
|
| 79 |
Many thanks |
| 80 |
Antoine |
| 81 |
|
| 82 |
-- |
| 83 |
gentoo-hardened@g.o mailing list |
Archives