| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Alexander Skwar wrote: |
| 5 |
> Willie Wong wrote: |
| 6 |
>> On Sun, Apr 16, 2006 at 11:19:46AM +0200, Penguin Lover Alexander |
| 7 |
>> Skwar squawked: |
| 8 |
>>> Now, how do I allow text relocations for just ONE binary, while |
| 9 |
>>> keeping it disallowed for every other executable (the ones which |
| 10 |
>>> already exist and the ones, which are to come in the future)? |
| 11 |
> [...] |
| 12 |
>>> I thought that I could do this with "chpax -m $binary" (replacing |
| 13 |
>>> $binary by the path to the executable, of course. In this case, |
| 14 |
>>> /usr/NX/bin/nxagent). But, I did this, and I still get the error |
| 15 |
>>> message. |
| 16 |
>> |
| 17 |
>> 1. Check and make sure there are no zombie processes of the desired |
| 18 |
>> binary running. |
| 19 |
> |
| 20 |
> [x] No Zombies |
| 21 |
> |
| 22 |
>> 2. Personally I use paxctl (the interface is slightly more robust in |
| 23 |
>> that I don't have to group all the flags in the first argument). |
| 24 |
>> 3. So, post the output of 'chpax -v $binary'? It should have the line |
| 25 |
>> *mprotect() : not restricted |
| 26 |
> |
| 27 |
> askwar@hetzner /usr/src $ /sbin/chpax -v /usr/NX/bin/nxagent |
| 28 |
> |
| 29 |
> ----[ chpax 0.7 : Current flags for /usr/NX/bin/nxagent (pEmrxs) ]---- |
| 30 |
> |
| 31 |
> * Paging based PAGE_EXEC : disabled |
| 32 |
> * Trampolines : emulated |
| 33 |
> * mprotect() : not restricted |
| 34 |
> * mmap() base : not randomized |
| 35 |
> * ET_EXEC base : not randomized |
| 36 |
> * Segmentation based PAGE_EXEC : disabled |
| 37 |
> |
| 38 |
> I now used paxctl, like you suggested in 2.. I ran: |
| 39 |
> |
| 40 |
> paxctl -m /usr/NX/bin/nxagent |
| 41 |
> |
| 42 |
> And see: |
| 43 |
> |
| 44 |
> askwar@hetzner /usr/src $ sudo paxctl -v /usr/NX/bin/nxagent |
| 45 |
> PaX control v0.4 |
| 46 |
> Copyright 2004,2005 PaX Team <pageexec@××××××××.hu> |
| 47 |
> |
| 48 |
> - PaX flags: -----m-x-e-- [/usr/NX/bin/nxagent] |
| 49 |
> MPROTECT is disabled |
| 50 |
> RANDEXEC is disabled |
| 51 |
> EMUTRAMP is disabled |
| 52 |
> |
| 53 |
> Now I am able to run NX. But none the less, I would still |
| 54 |
> like to know, why chpax did not work. |
| 55 |
> |
| 56 |
> Any ideas? |
| 57 |
> |
| 58 |
> Alexander Skwar |
| 59 |
Hi, |
| 60 |
Because chpax uses the old ELF-header markings and paxctl uses the new |
| 61 |
ones (binaries compiled with PIC & PIE, binutils 2.16.X). |
| 62 |
So you use chpax or paxctl depending on the binary. |
| 63 |
HTH.Rumen |
| 64 |
-----BEGIN PGP SIGNATURE----- |
| 65 |
Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) |
| 66 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 67 |
|
| 68 |
iD8DBQFEQkJoNbtuTtsWD3wRAtiRAJwIpQ8su9vvoF0xU8zBRhdvgB3VQgCeObWl |
| 69 |
EJt5COvdMDgjvqAMKUwUIj4= |
| 70 |
=++Z/ |
| 71 |
-----END PGP SIGNATURE----- |
| 72 |
-- |
| 73 |
gentoo-user@g.o mailing list |
Archives