| View previous topic :: View next topic |
| Author |
Message |
Vyeperman
Tux's lil' helper
Joined: 18 Dec 2003
Posts: 89
|
 Posted: Sat Apr 02, 2005 9:05 pm Post subject: enable java execution in pax? |
 |
|
I'm trying to execute a script/program that was completely written in java. After realizing the program wasn't running right I checked /var/log/messages and found something interesting.
| Code: |
Apr 2 13:05:07 Neji PAX: From 68.7.245.143: execution attempt in: /opt/sun-jdk-1.4.2.07/jre/lib/i386/client/libjvm.so, 23728000-23744000 003fd000
Apr 2 13:05:07 Neji PAX: terminating task: /opt/sun-jdk-1.4.2.07/bin/java(java):8764, uid/euid: 0/0, PC: 23732204, SP: 5ae2f604
Apr 2 13:05:07 Neji PAX: bytes at PC: 68 7f 02 00 00 d9 6c 24 00 58 c3 90 cc cc cc cc 00 80 01 00
Apr 2 13:05:07 Neji PAX: bytes at SP: 23588347 23740d50 5ae2f62c 23584745 00000001 23740d50 00003000 0000e000 0000e000 00003000 5ae2f63c 2358731c 08067408 23740d50 5ae2f6f4 235cecd5 08067408 23740d50 234f38b4 5ae317d0
|
I'm not to familiar with how to configure grsecurity in my kernel I had a little help from a friend getting it configured, but I would like to keep pax if possible, just enable java support. Can this be done?
_________________
-Vyeperman |
|
| Back to top |
|
 |
Vyeperman
Tux's lil' helper
Joined: 18 Dec 2003
Posts: 89
|
| Posted: Sat Apr 02, 2005 11:44 pm Post subject: |
|
|
Ok I've learned that I need to use paxctl with java to get it to work but I'm not sure what option to use, my guess is it's one of the exec ones since it appears to be an exec issue.
| Code: |
usage: paxctl <options> <files>options:
-p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRMAP
-E: enable EMUTRMAP -m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC
-X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC
|
_________________
-Vyeperman |
|
| Back to top |
|
|
mxc
Guru
Joined: 05 Mar 2003
Posts: 442
Location: South Africa
|
|
| Back to top |
|
|
dryadcito
Apprentice
Joined: 08 Oct 2004
Posts: 170
Location: Switzerland
|
| Posted: Mon Apr 25, 2005 5:01 pm Post subject: |
|
|
You should use
chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*
See http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxjava
You also can emerge chpax and add chpax to the default runlevel. It will set the right flags for some other apps. like xmms and Xorg. It's configuration file is /etc/conf.d/chpax , but I think you won't need to edit it.
If you emerge ( or re-emerge ) xmms, java or any other program needing special flags you must run manually "/etc/init.d/chpax start" because once it's been run it doesn't do anything ( there is no daemon ) or reboot. |
|
| Back to top |
|
|
|
Networking & Security
