[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grsec/PaX and Exec-shield


> I volunteered to make a package for exec-shield because it meets the Debian 
> criteria, I have time to do it, and it interests me.  PaX would take much 
> more time so I can't do it.

You cannot do it or you don't want to do it? In fact, anyone can do it Russell,
I'm pretty sure even you can do it:

apt-get install kernel-source-2.4.22
cd /usr/src
tar xvfj kernel-source-2.4.22
cd kernel-source-2.4.22
wget http://pageexec.virtualave.net/pax-linux-2.4.22-200310051430.patch
patch -p1 < pax-linux-2.4.22-200310051430.patch

And now you can make menuconfig etc. Now, that wasn't too difficult, right?

> I worry about the security of my own machines, and that of people I know.  
> Exec-shield offers some benefits and is something I can use now.  PaX will 
> not work with the Debian kernel and no-one has volunteered to make it work.  
> Unless someone (maybe you) volunteers to get PaX working with the Debian 
> kernel then it won't be an option for most people.

So you tried to apply PaX to the Debian kernel and failed? Can you explain what
exactly you did, which kernel version you used, which PaX patch and how you
applied it? I really don't understand why an experienced kernel patcher like
you can have problems with a nobrainer patch.

I do it all the time for Adamantix kernels (which are based on the Debian
kernel source packages) and it goes in without a hitch everytime. I wish other
patches were as easy to apply. And it works. The Adamantix kernel is used on
mission critical production systems. I have installed the PaX kernel on a
Debian Sarge system and it worked. Any Adamantix user will tell you that PaX
works. I honestly do not know what you are talking about. And if I didn't know
any better, I would think you were a newbie.

You can even disable some of the PaX features to lower the level of security to
the exec-shield level.

Another thing is that exec-shield is (AFAIK) only availabe on the i386
platform. I always thought that Debian was a multiplatform distribution. PaX is
supported on Alpha, PowerPC, HPPA, Sparc, etc. (I think that AMD64 is also
supported). There is simply no technical reason to chose exec-shield. However,
there may of course be other reasons. Such as political reasons.

Anyways, I included a patch for kernel-source-2.4.22 here. It took me 10
minutes to create it (yeah, slow computers suck). I'm sure Herbert Xu knows
how to apply it. For those who don't:

apt-get source kernel-source-2.4.22
cd kernel-source-2.4.22-2.4.22
bzcat kernel-source-2.4.22+pax.diff.bz2 | patch -p1

Now that can't be too hard, can it?

Peter Busser
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world

Attachment: kernel-source-2.4.22+pax.diff.bz2
Description: Binary data

Reply to: