[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-executable stack (via PT_GNU_STACK) not being enforced

On Monday, October 11, 2010 17:18:34 you wrote:
>On 10/11/2010 12:21 PM, Boyd Stephen Smith Jr. wrote:
>>> Anyone else perceive this situation as being a bit sub-optimal from
>>> the security perspective?
>> No.
>Interesting. Do you happen to run any such systems in a production

Depends on what you mean by production.  I do manage 
http://www.freegeekarkansas.org, http://www.iguanasuicide.net, and the MX for 
iguanasuicide.net.  It's only 3 systems.[1]  All are VPSes, 2 running Debian 
Lenny; 1 running Ubuntu 10.04 LTS.

>> Debian server admins are running amd64, not i386, and NX is supported
>> by default on 64-bit kernels. Even if they are running the i386 arch
>> because of some random closed app they have to have on top of Debian,
>> they can run the amd64 kernel.
>Oh good.
>Then I'm glad I didn't notify those admins I know who bought expensive
>IBM servers just a couple of years ago that turned out to have
>virtualization support for 64-bit guests disabled in the BIOS even
>though the Intel Xeon CPUs had support for it. They were already
>disappointed that they couldn't use weren't getting all the features of
>the processors and they would be just heartbroken to find out that
>they'd been pwned through executable stacks too.

1. Configure the BIOS properly.
2. If that's not possible, hack the BIOS.
3. If that's too hard, use LinuxBIOS / OpenBoot.

Finally, don't whine when your software doesn't correct for intentional 
hardware crippling.

Also: -bigmem is available.

>>> What can be done to not disable page protections in the default
>>> kernel?
>> Enable PAE.  From what I understand, the features are not separable
>> in the i386 kernel.  You either suffer under PAE and get NX, or you
>> suffer without NX and drop PAE.
>That's my understanding too. I was really asking about the default.
>Most of us would prefer the 1% performance hit over having an
>executable stack (and heap).

Then install -bigmem, reboot and be done.

Remember that Debian i386 targets more than beefy servers.  In fact, it 
probably has a larger install base on Atom-based router boards, All-in-one 
PCs, and "netbooks".

That said, I don't really care what the default is for i386.  When multiple 
kernels are available for my architecture, I do the research and install the 
correct one.

[1] One of the systems in that configuration is not directly public facing; it 
handles the ClamAV scanning via a private network for the MX.
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: