Re: [gentoo-hardened] mprotect question - gentoo-hardened

From:	Markus Oehme <oehme.markus@×××.de>
To:	gentoo-hardened@l.g.o
Cc:	"Anthony G. Basile" <blueness@g.o>
Subject:	Re: [gentoo-hardened] mprotect question
Date:	Thu, 14 Jul 2011 16:02:55
Message-Id:	`87ei1szxrz.wl%oehme.markus@gmx.de`
In Reply to:	Re: [gentoo-hardened] mprotect question by "Anthony G. Basile"

1

Hi Anthony,

2

3

At Thu, 14 Jul 2011 09:41:48 -0400,

4

Anthony G. Basile wrote:

5

> It looks like you missed something in the process.  The steps to

6

> converting are (skipping details):

7

>

8

> 1) switch profile

9

> 2) recompile the toolchain: emerge glibc gcc binutils

10

> 3) recompile system: emerge -e system

11

> 4) recompile world: emerge -e world

12

13

I did executed all steps in this order and rebuilt all packages. Just now I

14

did some tries and recompiled some of the packages which fail. However this

15

changed nothing.

16

17

One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc

18

4.6.0 for quite some time on ~amd64 ere I switched to hardened last week.  I

19

didn't encounter any special problems during the transition.

20

21

> If you didn't do these, its possible you have some  binaries left that

22

> will trigger pax violations.

23

>

24

> One way to quickly check if you got hardened binaries is to use a script

25

> called checksec.sh [1] and run it on /bin or /sbin.  You should see that

26

> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.

27

28

I just executed the script for /bin and the result [1] was very mixed. Nearly all

29

binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I

30

checked whether this could be changed and rebuilt coreutils twice, but the

31

output was the same every time.

32

33

However this seems not to be a big problem since the system is currently

34

running normal (Xfce desktop session) with my current list [2] of exceptions

35

to mprotect which contains only binaries under /usr.

36

37

38

Thanks for the advice.

39

40

   	    Markus

41

42

[1]

43

44

RELRO           STACK CANARY      NX            PIE                     FILE

45

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/attr

46

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/basename

47

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/bash

48

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdcpio

49

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdtar

50

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/btrfs-debug-tree

51

Partial RELRO   No canary found   NX disabled   No PIE                  /bin/busybox

52

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bzip2

53

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cat

54

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/chacl

55

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chgrp

56

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chmod

57

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chown

58

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chroot

59

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cp

60

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cpio

61

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cut

62

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/date

63

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dd

64

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/df

65

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dir

66

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dirname

67

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dmesg

68

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/du

69

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/echo

70

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/ed

71

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/egrep

72

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/env

73

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/expr

74

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/false

75

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fgrep

76

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/findmnt

77

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fuser

78

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/gawk

79

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfacl

80

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfattr

81

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/grep

82

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/groups

83

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/gzip

84

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/head

85

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/hostname

86

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/kill

87

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ln

88

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/login

89

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ls

90

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsblk

91

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsmod

92

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mail

93

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mbchk

94

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkdir

95

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkfifo

96

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mknod

97

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mktemp

98

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/more

99

Full RELRO      No canary found   NX disabled   PIE enabled             /binmount

100

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mountpoint

101

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mv

102

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/nano

103

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/netstat

104

Full RELRO      No canary found   NX disabled   PIE enabled             /binpasswd

105

Full RELRO      Canary found      NX enabled    PIE enabled             /binping

106

Full RELRO      Canary found      NX enabled    PIE enabled             /binping6

107

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ps

108

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/pwd

109

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/readlink

110

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rm

111

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rmdir

112

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/run-parts

113

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sed

114

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/seq

115

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfacl

116

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfattr

117

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sleep

118

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sort

119

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/stty

120

Full RELRO      No canary found   NX disabled   PIE enabled             /binsu

121

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sync

122

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tail

123

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tar

124

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/tcsh

125

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tempfile

126

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/touch

127

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tr

128

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/true

129

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tty

130

Full RELRO      No canary found   NX disabled   PIE enabled             /binumount

131

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/uname

132

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/vdir

133

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/wc

134

Full RELRO      No canary found   NX disabled   PIE enabled             /bin/yes

135

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh

136

Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh-4.3.12

[2]

141

142

/usr/bin/emacs-23

143

/usr/bin/gkrellm

144

/usr/bin/perl

145

/usr/bin/python2.7

146

/usr/bin/spamc

147

/usr/bin/ssh

148

/usr/bin/sudo

149

/usr/bin/Terminal

150

/usr/bin/xchat

151

/usr/bin/xfce4-mixer

152

/usr/bin/xfce4-panel

153

/usr/bin/xfce4-session

154

/usr/bin/xfce4-session-logout

155

/usr/bin/xfconf-query

156

/usr/bin/xfdesktop

157

/usr/bin/Xorg

158

/usr/bin/xscreensaver

159

/usr/games/bin/enigma

160

/usr/lib64/courier/courier-authlib/authdaemond

161

/usr/lib64/xfce4/xfconf/xfconfd

162

/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1

163

/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus

164

/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1

165

/usr/libexec/git-core/git

166

/usr/libexec/polkitd

167

/usr/libexec/udisks-daemon

168

/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin

169

/usr/sbin/collectd

170

/usr/sbin/console-kit-daemon

171

172

173

--

174

Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod

175

are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the

176

rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot

177

csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,

178

but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.

Gentoo Archives: gentoo-hardened

Replies

1	Hi Anthony,
2
3	At Thu, 14 Jul 2011 09:41:48 -0400,
4	Anthony G. Basile wrote:
5	> It looks like you missed something in the process. The steps to
6	> converting are (skipping details):
7	>
8	> 1) switch profile
9	> 2) recompile the toolchain: emerge glibc gcc binutils
10	> 3) recompile system: emerge -e system
11	> 4) recompile world: emerge -e world
12
13	I did executed all steps in this order and rebuilt all packages. Just now I
14	did some tries and recompiled some of the packages which fail. However this
15	changed nothing.
16
17	One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
18	4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
19	didn't encounter any special problems during the transition.
20
21	> If you didn't do these, its possible you have some binaries left that
22	> will trigger pax violations.
23	>
24	> One way to quickly check if you got hardened binaries is to use a script
25	> called checksec.sh [1] and run it on /bin or /sbin. You should see that
26	> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
27
28	I just executed the script for /bin and the result [1] was very mixed. Nearly all
29	binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
30	checked whether this could be changed and rebuilt coreutils twice, but the
31	output was the same every time.
32
33	However this seems not to be a big problem since the system is currently
34	running normal (Xfce desktop session) with my current list [2] of exceptions
35	to mprotect which contains only binaries under /usr.
36
37
38	Thanks for the advice.
39
40	Markus
41
42	[1]
43
44	RELRO STACK CANARY NX PIE FILE
45	Full RELRO Canary found NX enabled PIE enabled /bin/attr
46	Full RELRO No canary found NX disabled PIE enabled /bin/basename
47	Full RELRO Canary found NX enabled PIE enabled /bin/bash
48	Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio
49	Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar
50	Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree
51	Partial RELRO No canary found NX disabled No PIE /bin/busybox
52	Full RELRO No canary found NX disabled PIE enabled /bin/bzip2
53	Full RELRO No canary found NX disabled PIE enabled /bin/cat
54	Full RELRO Canary found NX enabled PIE enabled /bin/chacl
55	Full RELRO No canary found NX disabled PIE enabled /bin/chgrp
56	Full RELRO No canary found NX disabled PIE enabled /bin/chmod
57	Full RELRO No canary found NX disabled PIE enabled /bin/chown
58	Full RELRO No canary found NX disabled PIE enabled /bin/chroot
59	Full RELRO No canary found NX disabled PIE enabled /bin/cp
60	Full RELRO No canary found NX disabled PIE enabled /bin/cpio
61	Full RELRO No canary found NX disabled PIE enabled /bin/cut
62	Full RELRO No canary found NX disabled PIE enabled /bin/date
63	Full RELRO No canary found NX disabled PIE enabled /bin/dd
64	Full RELRO No canary found NX disabled PIE enabled /bin/df
65	Full RELRO No canary found NX disabled PIE enabled /bin/dir
66	Full RELRO No canary found NX disabled PIE enabled /bin/dirname
67	Full RELRO No canary found NX disabled PIE enabled /bin/dmesg
68	Full RELRO No canary found NX disabled PIE enabled /bin/du
69	Full RELRO No canary found NX disabled PIE enabled /bin/echo
70	Full RELRO Canary found NX enabled PIE enabled /bin/ed
71	Full RELRO No canary found NX disabled PIE enabled /bin/egrep
72	Full RELRO No canary found NX disabled PIE enabled /bin/env
73	Full RELRO No canary found NX disabled PIE enabled /bin/expr
74	Full RELRO No canary found NX disabled PIE enabled /bin/false
75	Full RELRO No canary found NX disabled PIE enabled /bin/fgrep
76	Full RELRO No canary found NX disabled PIE enabled /bin/findmnt
77	Full RELRO No canary found NX disabled PIE enabled /bin/fuser
78	Full RELRO Canary found NX enabled PIE enabled /bin/gawk
79	Full RELRO Canary found NX enabled PIE enabled /bin/getfacl
80	Full RELRO Canary found NX enabled PIE enabled /bin/getfattr
81	Full RELRO No canary found NX disabled PIE enabled /bin/grep
82	Full RELRO No canary found NX disabled PIE enabled /bin/groups
83	Full RELRO No canary found NX disabled PIE enabled /bin/gzip
84	Full RELRO No canary found NX disabled PIE enabled /bin/head
85	Full RELRO Canary found NX enabled PIE enabled /bin/hostname
86	Full RELRO No canary found NX disabled PIE enabled /bin/kill
87	Full RELRO No canary found NX disabled PIE enabled /bin/ln
88	Full RELRO No canary found NX disabled PIE enabled /bin/login
89	Full RELRO No canary found NX disabled PIE enabled /bin/ls
90	Full RELRO No canary found NX disabled PIE enabled /bin/lsblk
91	Full RELRO No canary found NX disabled PIE enabled /bin/lsmod
92	Full RELRO Canary found NX enabled PIE enabled /bin/mail
93	Full RELRO Canary found NX enabled PIE enabled /bin/mbchk
94	Full RELRO No canary found NX disabled PIE enabled /bin/mkdir
95	Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo
96	Full RELRO No canary found NX disabled PIE enabled /bin/mknod
97	Full RELRO No canary found NX disabled PIE enabled /bin/mktemp
98	Full RELRO No canary found NX disabled PIE enabled /bin/more
99	Full RELRO No canary found NX disabled PIE enabled /binmount
100	Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint
101	Full RELRO No canary found NX disabled PIE enabled /bin/mv
102	Full RELRO No canary found NX disabled PIE enabled /bin/nano
103	Full RELRO Canary found NX enabled PIE enabled /bin/netstat
104	Full RELRO No canary found NX disabled PIE enabled /binpasswd
105	Full RELRO Canary found NX enabled PIE enabled /binping
106	Full RELRO Canary found NX enabled PIE enabled /binping6
107	Full RELRO No canary found NX disabled PIE enabled /bin/ps
108	Full RELRO No canary found NX disabled PIE enabled /bin/pwd
109	Full RELRO No canary found NX disabled PIE enabled /bin/readlink
110	Full RELRO No canary found NX disabled PIE enabled /bin/rm
111	Full RELRO No canary found NX disabled PIE enabled /bin/rmdir
112	Full RELRO No canary found NX disabled PIE enabled /bin/run-parts
113	Full RELRO No canary found NX disabled PIE enabled /bin/sed
114	Full RELRO No canary found NX disabled PIE enabled /bin/seq
115	Full RELRO Canary found NX enabled PIE enabled /bin/setfacl
116	Full RELRO Canary found NX enabled PIE enabled /bin/setfattr
117	Full RELRO No canary found NX disabled PIE enabled /bin/sleep
118	Full RELRO No canary found NX disabled PIE enabled /bin/sort
119	Full RELRO No canary found NX disabled PIE enabled /bin/stty
120	Full RELRO No canary found NX disabled PIE enabled /binsu
121	Full RELRO No canary found NX disabled PIE enabled /bin/sync
122	Full RELRO No canary found NX disabled PIE enabled /bin/tail
123	Full RELRO No canary found NX disabled PIE enabled /bin/tar
124	Full RELRO Canary found NX enabled PIE enabled /bin/tcsh
125	Full RELRO No canary found NX disabled PIE enabled /bin/tempfile
126	Full RELRO No canary found NX disabled PIE enabled /bin/touch
127	Full RELRO No canary found NX disabled PIE enabled /bin/tr
128	Full RELRO No canary found NX disabled PIE enabled /bin/true
129	Full RELRO No canary found NX disabled PIE enabled /bin/tty
130	Full RELRO No canary found NX disabled PIE enabled /binumount
131	Full RELRO No canary found NX disabled PIE enabled /bin/uname
132	Full RELRO No canary found NX disabled PIE enabled /bin/vdir
133	Full RELRO No canary found NX disabled PIE enabled /bin/wc
134	Full RELRO No canary found NX disabled PIE enabled /bin/yes
135	Full RELRO Canary found NX enabled PIE enabled /bin/zsh
136	Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12
137
138
139
140	[2]
141
142	/usr/bin/emacs-23
143	/usr/bin/gkrellm
144	/usr/bin/perl
145	/usr/bin/python2.7
146	/usr/bin/spamc
147	/usr/bin/ssh
148	/usr/bin/sudo
149	/usr/bin/Terminal
150	/usr/bin/xchat
151	/usr/bin/xfce4-mixer
152	/usr/bin/xfce4-panel
153	/usr/bin/xfce4-session
154	/usr/bin/xfce4-session-logout
155	/usr/bin/xfconf-query
156	/usr/bin/xfdesktop
157	/usr/bin/Xorg
158	/usr/bin/xscreensaver
159	/usr/games/bin/enigma
160	/usr/lib64/courier/courier-authlib/authdaemond
161	/usr/lib64/xfce4/xfconf/xfconfd
162	/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
163	/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
164	/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
165	/usr/libexec/git-core/git
166	/usr/libexec/polkitd
167	/usr/libexec/udisks-daemon
168	/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
169	/usr/sbin/collectd
170	/usr/sbin/console-kit-daemon
171
172
173	--
174	Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
175	are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
176	rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
177	csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
178	but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.