1 |
On Mon, 2005-10-24 at 15:47 +0200, pageexec@××××××××.hu wrote: |
2 |
> On 23 Oct 2005 at 21:42, Antoine Martin wrote: |
3 |
> |
4 |
> ok, so this is the story of the textrelocs in libmysqlclient: |
5 |
> |
6 |
> > open("/usr/lib/libmysqlclient.so.14", O_RDONLY) = 3 |
7 |
> > mmap2(NULL, 2061732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, |
8 |
> > 0) = 0xb7d24000 |
9 |
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_WRITE) = 0 |
10 |
> > mprotect(0xb7d24000, 1073152, PROT_READ|PROT_EXEC) = -1 EACCES |
11 |
> > (Permission denied) |
12 |
> |
13 |
> this is either PaX (if you have NOELFRELOCS on) or SELinux, |
14 |
> i think they call it execmem or something like that. |
15 |
Yes, I started this thread and CCed the SELinux list. |
16 |
I can make this work by allowing postfix to execmem all shlibs. |
17 |
ie for all the postfix domains: |
18 |
allow postfix_{domain}_t shlib_t:file execmod; |
19 |
|
20 |
But this is not the right way to do it, I admit this is only a very tiny |
21 |
security risk, but I would much rather figure out a way to fix the |
22 |
library to not require execmod. No other library requires it, and the |
23 |
previous version of mysql I was using (4.0) didn't either. |
24 |
|
25 |
> what do 'scanelf -T /usr/lib/libmysqlclient.so.14' or |
26 |
> 'eu-findtextrel /usr/lib/libmysqlclient.so.14' |
27 |
> say (it can't be 'nothing' for sure ;-)? eu-findtexrel |
28 |
> is in dev-libs/elfutils. |
29 |
# scanelf -T /usr/lib/libmysqlclient.so.14 |
30 |
TYPE TEXTRELS FILE |
31 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD5C] in |
32 |
DES_encrypt3 [0xDACD0] |
33 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD70] in |
34 |
DES_encrypt3 [0xDACD0] |
35 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAD84] in |
36 |
DES_encrypt3 [0xDACD0] |
37 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAE8C] in |
38 |
DES_decrypt3 [0xDAE00] |
39 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEA0] in |
40 |
DES_decrypt3 [0xDAE00] |
41 |
TEXTREL libmysqlclient.so.14: DES_encrypt2 [0xDAEB4] in |
42 |
DES_decrypt3 [0xDAE00] |
43 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAF82] in |
44 |
DES_ncbc_encrypt [0xDAF30] |
45 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDAFEA] in |
46 |
DES_ncbc_encrypt [0xDAF30] |
47 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB01B] in |
48 |
DES_ncbc_encrypt [0xDAF30] |
49 |
TEXTREL libmysqlclient.so.14: DES_encrypt1 [0xDB067] in |
50 |
DES_ncbc_encrypt [0xDAF30] |
51 |
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB14B] in |
52 |
DES_ede3_cbc_encrypt [0xDB0F0] |
53 |
TEXTREL libmysqlclient.so.14: DES_encrypt3 [0xDB1B3] in |
54 |
DES_ede3_cbc_encrypt [0xDB0F0] |
55 |
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB1EB] in |
56 |
DES_ede3_cbc_encrypt [0xDB0F0] |
57 |
TEXTREL libmysqlclient.so.14: DES_decrypt3 [0xDB237] in |
58 |
DES_ede3_cbc_encrypt [0xDB0F0] |
59 |
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD461] in |
60 |
RC5_32_cbc_encrypt [0xDD410] |
61 |
TEXTREL libmysqlclient.so.14: RC5_32_encrypt [0xDD4C9] in |
62 |
RC5_32_cbc_encrypt [0xDD410] |
63 |
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD4FB] in |
64 |
RC5_32_cbc_encrypt [0xDD410] |
65 |
TEXTREL libmysqlclient.so.14: RC5_32_decrypt [0xDD547] in |
66 |
RC5_32_cbc_encrypt [0xDD410] |
67 |
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFB45] in |
68 |
BF_cbc_encrypt [0xDFAF0] |
69 |
TEXTREL libmysqlclient.so.14: BF_encrypt [0xDFBB5] in |
70 |
BF_cbc_encrypt [0xDFAF0] |
71 |
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFBEF] in |
72 |
BF_cbc_encrypt [0xDFAF0] |
73 |
TEXTREL libmysqlclient.so.14: BF_decrypt [0xDFC43] in |
74 |
BF_cbc_encrypt [0xDFAF0] |
75 |
ET_DYN /usr/lib/libmysqlclient.so.14 |
76 |
|
77 |
Hope this helps... |
78 |
|
79 |
Many thanks |
80 |
Antoine |
81 |
|
82 |
-- |
83 |
gentoo-hardened@g.o mailing list |