Re: Exec-Shield vs. PaX
On Thu, 6 Nov 2003 pageexec@freemail.hu wrote:
> > actually, unmodified XFree86 works just fine. It will have an executable
> > stack but it will work out of box - so no app was broken.
>
> false! my unmodified X server (gentoo) dies with the following core
> when trying to run it under [1]:
you need to update your gcc, glibc and binutils chain and change
exec-shield=1 (all the code is available under the GPL) to get a fully
compatible exec-shield solution.
the patches on my site default to exec-shield=2. exec-shield=2 means
blanket non-exec stacks for _every_ binary. You are trying to make a big
fuss about this for no good reason. My patches default to 2 to get wider
testing without having to recompile all of userspace. (but recompiling all
of userspace shouldnt be an issue on your gentoo box.)
> > X does break if you force exec-shield=2, and it did break even with
> > exec-shield=1 in earlier iterations of exec-shield, but that bug has been
> > fixed.
>
> excerpt from [1]:
> +int exec_shield = 2;
Look at the Fedora Core 1 distribution released yesterday to see the
complete solution - there exec-shield defaults to 1. You need PT_GNU_STACK
markings for all apps to work under exec-shield. It cannot be solved via a
single kernel patch. If exec-shield is to be added to Debian then this
should be done too.
Ingo
Reply to: