| 1 |
On 05/29/2013 02:31 AM, "Tóth Attila" wrote: |
| 2 |
> 2013.Május 29.(Sze) 03:29 időpontban Anthony G. Basile ezt írta: |
| 3 |
>> On 05/28/2013 07:46 PM, "Tóth Attila" wrote: |
| 4 |
>>> If PT_PAX has E, python2.7 would not start on my system. |
| 5 |
>>> Let's correct that: |
| 6 |
>>> paxctl-ng -e /usr/bin/python2.7 |
| 7 |
>>> |
| 8 |
>>> Now python works again. |
| 9 |
>> |
| 10 |
>> Something changed in the latest python upgrades because I'm having |
| 11 |
>> problems of a different nature. I'll have to investigate. |
| 12 |
>> |
| 13 |
> |
| 14 |
> I wanted the community to know, that the situation looks scary for the |
| 15 |
> first time, but there's an easy fix. In case anybody else runs into this. |
| 16 |
> |
| 17 |
|
| 18 |
You can pass a glob to paxctl-ng so for example |
| 19 |
|
| 20 |
paxctl-ng -v /bin/* |
| 21 |
|
| 22 |
will show PT_PAX and XATTR_PAX flags for all binaries in /bin. |
| 23 |
|
| 24 |
>>> |
| 25 |
>>> Sidenote: |
| 26 |
>>> Even after running migrate-pax -m, there are binaries on the system |
| 27 |
>>> having |
| 28 |
>>> only PT_PAX marking. Example: |
| 29 |
>>> migrate-pax -m |
| 30 |
>>> paxctl-ng -v /usr/bin/clear |
| 31 |
>>> /usr/bin/clear: |
| 32 |
>>> PT_PAX : -e--- |
| 33 |
>>> XATTR_PAX : not found |
| 34 |
>>> |
| 35 |
>> |
| 36 |
>> Unfortunately it is very difficult to find everything that links against |
| 37 |
>> everything on a system. First there's just a simple logistic problem, |
| 38 |
>> going through all ELF on a system and running ldd (or readelf -d) is |
| 39 |
>> time consuming and likely to miss stuff. On gentoo with portage (not |
| 40 |
>> paludis!) we have linkage info in NEEDED.ELF.2 in vdb created at build |
| 41 |
>> time by examing linkage info, but this also can't be everything. |
| 42 |
>> Consider plugins that dlopen-ed at runtime. |
| 43 |
>> |
| 44 |
>> So something will be missed. |
| 45 |
> |
| 46 |
> Is there an easy command I can use to list binaries having PT_PAX flags |
| 47 |
> and missing XATTR_PAX flags? |
| 48 |
> |
| 49 |
>> |
| 50 |
>> BUT! |
| 51 |
>> |
| 52 |
>> That's not what's happening there. No XATTR_PAX flags implies the |
| 53 |
>> default markings which is "-e---". This is so we don't have to go |
| 54 |
>> around creating xattrs on every ELF binary on your system just to get |
| 55 |
>> the default. Upstream wanted it that way and it does make sense. |
| 56 |
> |
| 57 |
> According to my recent experience, if EMUTRAMP is enabled by a PT_PAX flag |
| 58 |
> and there's no XATTR_PAX flag present, the system will listen to the |
| 59 |
> PT_PAX flag. Can I influence this behavior to rather use the mentioned |
| 60 |
> XATTR_PAX default and don't pay attention to the PT_PAX flag? |
| 61 |
> |
| 62 |
> Thanks: |
| 63 |
> Dw. |
| 64 |
> |
| 65 |
|
| 66 |
If you have PAX_PT_PAX_FLAGS off and PAX_XATTR_PAX_FLAGS on it will only |
| 67 |
listen to the XATTR_PAX flags. |
| 68 |
|
| 69 |
|
| 70 |
-- |
| 71 |
Anthony G. Basile, Ph. D. |
| 72 |
Chair of Information Technology |
| 73 |
D'Youville College |
| 74 |
Buffalo, NY 14201 |
| 75 |
(716) 829-8197 |
Archives