From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/666 Path: main.gmane.org!not-for-mail From: Vincent Danen Newsgroups: gmane.comp.sysutils.supervision.general Subject: runit running under linux 2.4 with openwall patches Date: Thu, 20 Jan 2005 15:14:38 -0700 Message-ID: NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 (Apple Message framework v619) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-37--896939825" Content-Transfer-Encoding: 7bit X-Trace: sea.gmane.org 1106259293 12651 80.91.229.6 (20 Jan 2005 22:14:53 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 20 Jan 2005 22:14:53 +0000 (UTC) Original-X-From: supervision-return-905-gcsg-supervision=m.gmane.org@list.skarnet.org Thu Jan 20 23:14:45 2005 Return-path: Original-Received: from antah.skarnet.org ([212.85.147.14]) by deer.gmane.org with smtp (Exim 3.35 #1 (Debian)) id 1CrkZg-0003Nv-00 for ; Thu, 20 Jan 2005 23:14:44 +0100 Original-Received: (qmail 18731 invoked by uid 76); 20 Jan 2005 22:15:04 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 18725 invoked from network); 20 Jan 2005 22:15:03 -0000 Original-To: X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619) X-SA-Exim-Connect-IP: 68.149.32.61 X-SA-Exim-Mail-From: vdanen@annvix.org X-SA-Exim-Version: 4.1 (built Mon, 20 Sep 2004 22:38:34 -0600) X-SA-Exim-Scanned: Yes (on hades.annvix.org) Xref: main.gmane.org gmane.comp.sysutils.supervision.general:666 X-Report-Spam: http://spam.gmane.org/gmane.comp.sysutils.supervision.general:666 --Apple-Mail-37--896939825 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed One of the features of openwall is stack protection. I'm getting this when I try to boot into a 2.4.29 kernel with openwall hardening enabled: Security: return onto stack from 0x0804812c to 0xbffffea0 running as UID 0, EUID 0, process runit:1 Security more returns onto stack, logging disabled for a minute I can manage to make the kernel boot, but runit isn't running and it's consuming 100% cpu in my vmware test machine. I have two ideas that may be causing the problem, and not being a kernel person I don't really know for 100% which it is: 1) the Non-executable user stack area part of owl 2) the enforce RLIMIT_NPROC on execve(2) I have a feeling that it's #1 tho. The question is, why is runit doing this? This is a valuable feature to have in a security-hardened distro, and having runit not running because of it is problematic. I'd like to be able to do both (although, for testing, I'm going to compile another kernel with this feature disabled just to isolate it). The description of the feature according to http://www.openwall.com/linux/README.shtml is: === Most buffer overflow exploits are based on overwriting a function's return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow vulnerabilities become harder to exploit. Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()'ed at to make it always contain a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings. However, note that this patch is by no means a complete solution, it just adds an extra layer of security. Many buffer overflow vulnerabilities will remain exploitable a more complicated way, and some will even remain unaffected by the patch. The reason for using such a patch is to protect against some of the buffer overflow vulnerabilities that are yet unknown. Also, note that some buffer overflows can be used for denial of service attacks (usually in non-respawning daemons and network clients). A patch like this cannot do anything against that. It is important that you fix vulnerabilities as soon as they become known, even if you're using the patch. The same applies to other features of the patch (discussed below) and their corresponding vulnerabilities. === I'd like to be able to have both runit and this feature together; I think it should be possible because the traditional init works with it. Any ideas on how to go about this? Right now I'm using runit 1.0.5 but plan to upgrade it soon; is this something that may have been addressed in more recent versions? Thanks for any info. -- Annvix - Secure Linux Server: http://annvix.org/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4} --Apple-Mail-37--896939825 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQFB8C1OLrxeMv7jCtQRAhmLAJ0fVJvL6OtPplomE1k/9nF2N/942QCcDQLQ Cm1lfI7IAopjhh6FLX5AXVk= =zcGo -----END PGP SIGNATURE----- --Apple-Mail-37--896939825--