1 |
First a great Thanks, |
2 |
|
3 |
On 17 Jun 2004 09:58:09 -0400 |
4 |
Ned Ludd <solar@g.o> wrote: |
5 |
|
6 |
> On Thu, 2004-06-17 at 00:54, Rumen Yotov wrote: |
7 |
> > Hi all, |
8 |
> > Tried to push grsec&PaX settings to the limits. Used quite all settings from quickstart-guide and got this with paxtest-0.9.5: |
9 |
> > ...BEGIN CUT ... |
10 |
> > PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
11 |
> > Released under the GNU Public Licence version 2 or later |
12 |
> > |
13 |
> > It may take a while for the tests to complete |
14 |
> > Test results: |
15 |
> > PaXtest - Copyright(c) 2003 by Peter Busser <peter@×××××××××.org> |
16 |
> > Released under the GNU Public Licence version 2 or later |
17 |
> > |
18 |
> > Executable anonymous mapping : Killed |
19 |
> > Executable bss : Killed |
20 |
> > Executable data : Killed |
21 |
> > Executable heap : Killed |
22 |
> > Executable stack : Killed |
23 |
> > Executable anonymous mapping (mprotect) : Killed |
24 |
> > Executable bss (mprotect) : Killed |
25 |
> > Executable data (mprotect) : Killed |
26 |
> > Executable heap (mprotect) : Killed |
27 |
> > Executable shared library bss (mprotect) : Killed |
28 |
> > Executable shared library data (mprotect): Killed |
29 |
> > Executable stack (mprotect) : Killed |
30 |
> > Anonymous mapping randomisation test : 16 bits (guessed) |
31 |
> > Heap randomisation test (ET_EXEC) : 25 bits (guessed) |
32 |
> > Heap randomisation test (ET_DYN) : 25 bits (guessed) |
33 |
> > Main executable randomisation (ET_EXEC) : 17 bits (guessed) |
34 |
> > Main executable randomisation (ET_DYN) : 17 bits (guessed) |
35 |
> > Shared library randomisation test : 16 bits (guessed) |
36 |
> > Stack randomisation test (SEGMEXEC) : 23 bits (guessed) |
37 |
> > Stack randomisation test (PAGEEXEC) : 23 bits (guessed) |
38 |
> > Return to function (strcpy) : Vulnerable |
39 |
> > Return to function (strcpy, RANDEXEC) : Vulnerable |
40 |
> > Return to function (memcpy) : Vulnerable |
41 |
> > Return to function (memcpy, RANDEXEC) : Vulnerable |
42 |
> > Executable shared library bss : Killed |
43 |
> > Executable shared library data : Killed |
44 |
> > Writable text segments : Killed |
45 |
> > ... END CUT ... |
46 |
> |
47 |
> |
48 |
> > 1.Could something be done about this 4 'Vuln.' left? |
49 |
> No thats expected. The goal of paxtest was not to show you how safe you |
50 |
> were but infact how vuln you are. So.. If you notice in the Makefile it |
51 |
> explicitly disables -fstack-protector which covers 2 of the remaining 4 |
52 |
> areas which exploitation can happen via. Seeing that it's vuln should |
53 |
> prove the point why you want/need |
54 |
> -fstack-protector/-fstack-protector-all which is handled automatically |
55 |
> with USE=hardened =sys-devel/gcc-3.3.3-r6 |
56 |
> |
57 |
OK. Done that.But which two, i think: Return to function (strcpy) & Return to function (memcpy), the other two must be handled by PaX RANDEXEC feature? |
58 |
> |
59 |
> > PS: can't use ACL for now as i'm on reiserfs3, so no easy acl support still. Am i wrong? |
60 |
> From reading below it looks like your going to be using grsec. grsec is |
61 |
> file system independent. |
62 |
> |
63 |
Risking being very wrong i know that ACL is a framework over regular filesystem in order to provide stricter control through new extended file attr. and as a result new way top control permissions on files. A week or two ago checked and acl was supported only on ext3 and xfs, reiserfs3 required some patches. So when using gradm2 i think it works with acl to provide additional security, but none on reiserfs3 as it doesn't have extended attributes (ACL). Opinions? |
64 |
Beside grsec i'm also planning on installing RSBAC-unabled kernel, but thats later. Had adamantix-1.0.3 installed on another partition but now think i'll move it to Gentoo. |
65 |
TIA. |
66 |
> > 2.Also managed to get xorg-X11-6.7.0-r1 to work using these settings, |
67 |
> > compiled it with USE="static -hardened" so no modules loading (thanks |
68 |
> > to forums.grsecurity.net). But can't get it to work with the |
69 |
> > binary-nvidia driver 'nvidia' works only with 2-D 'nv' driver, but for |
70 |
> > now it's enough for me. Nvidia-kernel module is loaded, so maybe it's |
71 |
> > something to do with loading kernel-glx module and xorg-x11 |
72 |
> > being'static'. Suggestions? |
73 |
> No easy work around here if your trying to use 3rd party modules. |
74 |
> |
75 |
So no surprise here. |
76 |
> > 3.Problems with paxtest-0.9.6 (still not in portage). Took it from adamantix.org project page. Can't compile it some error there: |
77 |
> sigh yeah.... I've sent Peter Busser patches for this a number of times |
78 |
> but for whatever reason he is busy working on other stuff.. The solution |
79 |
> is easy enough if I recall. add -lpthread to the LDFLAGS in the Makefile |
80 |
> |
81 |
> |
82 |
Thanks again, i'll try it. |
83 |
> > ..BEGIN CUT... |
84 |
> > make gentoo |
85 |
> > make -f Makefile.Gentoo |
86 |
> > make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6' |
87 |
> > gcc -specs=dumpspecs -o anonmap body.o anonmap.o |
88 |
> > body.o(.text+0x131): In function `main': |
89 |
> > : undefined reference to `pthread_create' |
90 |
> > body.o(.text+0x14a): In function `main': |
91 |
> > : undefined reference to `pthread_kill' |
92 |
> > collect2: ld returned 1 exit status |
93 |
> > make[1]: *** [anonmap] Error 1 |
94 |
> > make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6' |
95 |
> > make: *** [gentoo] Error 2 |
96 |
> > ...END CUT... |
97 |
> |
98 |
> > i'm compiling with grsec turned ON and GCC-3.3.3-r6 (hardened i think). |
99 |
> > paxtest-0.9.5 compiles OK. |
100 |
> > TIA. |
101 |
> > Rumen |
102 |
> -- |
103 |
> Ned Ludd <solar@g.o> |
104 |
> Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer |
105 |
> |
106 |
Rumen. |