| 1 |
On Thu, Jul 14, 2011 at 10:29 AM, Markus Oehme <oehme.markus@×××.de> wrote: |
| 2 |
> Hi Anthony, |
| 3 |
> |
| 4 |
> At Thu, 14 Jul 2011 09:41:48 -0400, |
| 5 |
> Anthony G. Basile wrote: |
| 6 |
>> It looks like you missed something in the process. The steps to |
| 7 |
>> converting are (skipping details): |
| 8 |
>> |
| 9 |
>> 1) switch profile |
| 10 |
>> 2) recompile the toolchain: emerge glibc gcc binutils |
| 11 |
>> 3) recompile system: emerge -e system |
| 12 |
>> 4) recompile world: emerge -e world |
| 13 |
> |
| 14 |
> I did executed all steps in this order and rebuilt all packages. Just now I |
| 15 |
> did some tries and recompiled some of the packages which fail. However this |
| 16 |
> changed nothing. |
| 17 |
> |
| 18 |
> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc |
| 19 |
> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I |
| 20 |
> didn't encounter any special problems during the transition. |
| 21 |
> |
| 22 |
>> If you didn't do these, its possible you have some binaries left that |
| 23 |
>> will trigger pax violations. |
| 24 |
>> |
| 25 |
>> One way to quickly check if you got hardened binaries is to use a script |
| 26 |
>> called checksec.sh [1] and run it on /bin or /sbin. You should see that |
| 27 |
>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
| 28 |
> |
| 29 |
> I just executed the script for /bin and the result [1] was very mixed. Nearly all |
| 30 |
> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I |
| 31 |
> checked whether this could be changed and rebuilt coreutils twice, but the |
| 32 |
> output was the same every time. |
| 33 |
> |
| 34 |
> However this seems not to be a big problem since the system is currently |
| 35 |
> running normal (Xfce desktop session) with my current list [2] of exceptions |
| 36 |
> to mprotect which contains only binaries under /usr. |
| 37 |
> |
| 38 |
> |
| 39 |
> Thanks for the advice. |
| 40 |
> |
| 41 |
> Markus |
| 42 |
> |
| 43 |
> [1] |
| 44 |
> |
| 45 |
> RELRO STACK CANARY NX PIE FILE |
| 46 |
> Full RELRO Canary found NX enabled PIE enabled /bin/attr |
| 47 |
> Full RELRO No canary found NX disabled PIE enabled /bin/basename |
| 48 |
> Full RELRO Canary found NX enabled PIE enabled /bin/bash |
| 49 |
> Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio |
| 50 |
> Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar |
| 51 |
> Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree |
| 52 |
> Partial RELRO No canary found NX disabled No PIE /bin/busybox |
| 53 |
> Full RELRO No canary found NX disabled PIE enabled /bin/bzip2 |
| 54 |
> Full RELRO No canary found NX disabled PIE enabled /bin/cat |
| 55 |
> Full RELRO Canary found NX enabled PIE enabled /bin/chacl |
| 56 |
> Full RELRO No canary found NX disabled PIE enabled /bin/chgrp |
| 57 |
> Full RELRO No canary found NX disabled PIE enabled /bin/chmod |
| 58 |
> Full RELRO No canary found NX disabled PIE enabled /bin/chown |
| 59 |
> Full RELRO No canary found NX disabled PIE enabled /bin/chroot |
| 60 |
> Full RELRO No canary found NX disabled PIE enabled /bin/cp |
| 61 |
> Full RELRO No canary found NX disabled PIE enabled /bin/cpio |
| 62 |
> Full RELRO No canary found NX disabled PIE enabled /bin/cut |
| 63 |
> Full RELRO No canary found NX disabled PIE enabled /bin/date |
| 64 |
> Full RELRO No canary found NX disabled PIE enabled /bin/dd |
| 65 |
> Full RELRO No canary found NX disabled PIE enabled /bin/df |
| 66 |
> Full RELRO No canary found NX disabled PIE enabled /bin/dir |
| 67 |
> Full RELRO No canary found NX disabled PIE enabled /bin/dirname |
| 68 |
> Full RELRO No canary found NX disabled PIE enabled /bin/dmesg |
| 69 |
> Full RELRO No canary found NX disabled PIE enabled /bin/du |
| 70 |
> Full RELRO No canary found NX disabled PIE enabled /bin/echo |
| 71 |
> Full RELRO Canary found NX enabled PIE enabled /bin/ed |
| 72 |
> Full RELRO No canary found NX disabled PIE enabled /bin/egrep |
| 73 |
> Full RELRO No canary found NX disabled PIE enabled /bin/env |
| 74 |
> Full RELRO No canary found NX disabled PIE enabled /bin/expr |
| 75 |
> Full RELRO No canary found NX disabled PIE enabled /bin/false |
| 76 |
> Full RELRO No canary found NX disabled PIE enabled /bin/fgrep |
| 77 |
> Full RELRO No canary found NX disabled PIE enabled /bin/findmnt |
| 78 |
> Full RELRO No canary found NX disabled PIE enabled /bin/fuser |
| 79 |
> Full RELRO Canary found NX enabled PIE enabled /bin/gawk |
| 80 |
> Full RELRO Canary found NX enabled PIE enabled /bin/getfacl |
| 81 |
> Full RELRO Canary found NX enabled PIE enabled /bin/getfattr |
| 82 |
> Full RELRO No canary found NX disabled PIE enabled /bin/grep |
| 83 |
> Full RELRO No canary found NX disabled PIE enabled /bin/groups |
| 84 |
> Full RELRO No canary found NX disabled PIE enabled /bin/gzip |
| 85 |
> Full RELRO No canary found NX disabled PIE enabled /bin/head |
| 86 |
> Full RELRO Canary found NX enabled PIE enabled /bin/hostname |
| 87 |
> Full RELRO No canary found NX disabled PIE enabled /bin/kill |
| 88 |
> Full RELRO No canary found NX disabled PIE enabled /bin/ln |
| 89 |
> Full RELRO No canary found NX disabled PIE enabled /bin/login |
| 90 |
> Full RELRO No canary found NX disabled PIE enabled /bin/ls |
| 91 |
> Full RELRO No canary found NX disabled PIE enabled /bin/lsblk |
| 92 |
> Full RELRO No canary found NX disabled PIE enabled /bin/lsmod |
| 93 |
> Full RELRO Canary found NX enabled PIE enabled /bin/mail |
| 94 |
> Full RELRO Canary found NX enabled PIE enabled /bin/mbchk |
| 95 |
> Full RELRO No canary found NX disabled PIE enabled /bin/mkdir |
| 96 |
> Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo |
| 97 |
> Full RELRO No canary found NX disabled PIE enabled /bin/mknod |
| 98 |
> Full RELRO No canary found NX disabled PIE enabled /bin/mktemp |
| 99 |
> Full RELRO No canary found NX disabled PIE enabled /bin/more |
| 100 |
> Full RELRO No canary found NX disabled PIE enabled /binmount |
| 101 |
> Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint |
| 102 |
> Full RELRO No canary found NX disabled PIE enabled /bin/mv |
| 103 |
> Full RELRO No canary found NX disabled PIE enabled /bin/nano |
| 104 |
> Full RELRO Canary found NX enabled PIE enabled /bin/netstat |
| 105 |
> Full RELRO No canary found NX disabled PIE enabled /binpasswd |
| 106 |
> Full RELRO Canary found NX enabled PIE enabled /binping |
| 107 |
> Full RELRO Canary found NX enabled PIE enabled /binping6 |
| 108 |
> Full RELRO No canary found NX disabled PIE enabled /bin/ps |
| 109 |
> Full RELRO No canary found NX disabled PIE enabled /bin/pwd |
| 110 |
> Full RELRO No canary found NX disabled PIE enabled /bin/readlink |
| 111 |
> Full RELRO No canary found NX disabled PIE enabled /bin/rm |
| 112 |
> Full RELRO No canary found NX disabled PIE enabled /bin/rmdir |
| 113 |
> Full RELRO No canary found NX disabled PIE enabled /bin/run-parts |
| 114 |
> Full RELRO No canary found NX disabled PIE enabled /bin/sed |
| 115 |
> Full RELRO No canary found NX disabled PIE enabled /bin/seq |
| 116 |
> Full RELRO Canary found NX enabled PIE enabled /bin/setfacl |
| 117 |
> Full RELRO Canary found NX enabled PIE enabled /bin/setfattr |
| 118 |
> Full RELRO No canary found NX disabled PIE enabled /bin/sleep |
| 119 |
> Full RELRO No canary found NX disabled PIE enabled /bin/sort |
| 120 |
> Full RELRO No canary found NX disabled PIE enabled /bin/stty |
| 121 |
> Full RELRO No canary found NX disabled PIE enabled /binsu |
| 122 |
> Full RELRO No canary found NX disabled PIE enabled /bin/sync |
| 123 |
> Full RELRO No canary found NX disabled PIE enabled /bin/tail |
| 124 |
> Full RELRO No canary found NX disabled PIE enabled /bin/tar |
| 125 |
> Full RELRO Canary found NX enabled PIE enabled /bin/tcsh |
| 126 |
> Full RELRO No canary found NX disabled PIE enabled /bin/tempfile |
| 127 |
> Full RELRO No canary found NX disabled PIE enabled /bin/touch |
| 128 |
> Full RELRO No canary found NX disabled PIE enabled /bin/tr |
| 129 |
> Full RELRO No canary found NX disabled PIE enabled /bin/true |
| 130 |
> Full RELRO No canary found NX disabled PIE enabled /bin/tty |
| 131 |
> Full RELRO No canary found NX disabled PIE enabled /binumount |
| 132 |
> Full RELRO No canary found NX disabled PIE enabled /bin/uname |
| 133 |
> Full RELRO No canary found NX disabled PIE enabled /bin/vdir |
| 134 |
> Full RELRO No canary found NX disabled PIE enabled /bin/wc |
| 135 |
> Full RELRO No canary found NX disabled PIE enabled /bin/yes |
| 136 |
> Full RELRO Canary found NX enabled PIE enabled /bin/zsh |
| 137 |
> Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12 |
| 138 |
> |
| 139 |
> |
| 140 |
> |
| 141 |
> [2] |
| 142 |
> |
| 143 |
> /usr/bin/emacs-23 |
| 144 |
> /usr/bin/gkrellm |
| 145 |
> /usr/bin/perl |
| 146 |
> /usr/bin/python2.7 |
| 147 |
> /usr/bin/spamc |
| 148 |
> /usr/bin/ssh |
| 149 |
> /usr/bin/sudo |
| 150 |
> /usr/bin/Terminal |
| 151 |
> /usr/bin/xchat |
| 152 |
> /usr/bin/xfce4-mixer |
| 153 |
> /usr/bin/xfce4-panel |
| 154 |
> /usr/bin/xfce4-session |
| 155 |
> /usr/bin/xfce4-session-logout |
| 156 |
> /usr/bin/xfconf-query |
| 157 |
> /usr/bin/xfdesktop |
| 158 |
> /usr/bin/Xorg |
| 159 |
> /usr/bin/xscreensaver |
| 160 |
> /usr/games/bin/enigma |
| 161 |
> /usr/lib64/courier/courier-authlib/authdaemond |
| 162 |
> /usr/lib64/xfce4/xfconf/xfconfd |
| 163 |
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
| 164 |
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus |
| 165 |
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1 |
| 166 |
> /usr/libexec/git-core/git |
| 167 |
> /usr/libexec/polkitd |
| 168 |
> /usr/libexec/udisks-daemon |
| 169 |
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
| 170 |
> /usr/sbin/collectd |
| 171 |
> /usr/sbin/console-kit-daemon |
| 172 |
> |
| 173 |
> |
| 174 |
> -- |
| 175 |
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod |
| 176 |
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the |
| 177 |
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot |
| 178 |
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, |
| 179 |
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
| 180 |
> |
| 181 |
> |
| 182 |
|
| 183 |
Hi there, |
| 184 |
|
| 185 |
What is the output of gcc-config -l ?You should see something like the |
| 186 |
following (versions will be different). |
| 187 |
[1] x86_64-pc-linux-gnu-4.4.5 * |
| 188 |
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie |
| 189 |
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp |
| 190 |
[4] x86_64-pc-linux-gnu-4.4.5-hardenednossp |
| 191 |
[5] x86_64-pc-linux-gnu-4.4.5-vanilla |
| 192 |
|
| 193 |
The asterisk will be next to the one you have selected, which in this |
| 194 |
case is the first in the list (it is hardened). |
| 195 |
|
| 196 |
Cheers |
| 197 |
-- |
| 198 |
M. Summers |
| 199 |
|
| 200 |
"...there are no rules here -- we're trying to accomplish something." |
| 201 |
- Thomas A. Edison |
Archives