[clug] ColdFusion MX on RedHat
Rob Weir
rweir at ertius.org
Thu Jul 10 16:39:21 EST 2003
On Wed, Jul 09, 2003 at 04:39:35PM +1000, Nathan_LeNevez at ausaid.gov.au wrote:
> coldfusion-60-linux-en.bin: line 1: 22743 Killed
> "/tmp/install.dir.22642/Linux/resource/jre/bin/java" -Djava.compiler=NONE
> -Xmx50331648 -Xms16777216 com.zerog.lax.LAX
> "/tmp/install.dir.22642/temp.lax" "/tmp/env.properties.22642" -i CONSOLE
>
> A quick look at /var/log/messages shows this too:
>
> Jul 9 16:36:19 picasso2 kernel: PAX: From 202.6.37.166: terminating task:
> /tmp/install.dir.22642/Linux/resource/jre/bin/i386/native_threads/java(java):22743,
> uid/euid: 0/0, PC: 2e590fa4, SP: 5c1acd70
> Jul 9 16:36:19 picasso2 kernel: PAX: bytes at PC: 68 7f 02 00 00 d9 6c 24
> 00 58 c3 90 cc cc cc cc 00 00 00 00
Isn't PAX a security patch to the kernel which makes some memory regions
non-executable? It's part of grsecurity (www.grsecurity.net, very
neat). Having a look through the grsecurity kernel config options, I
see this:
Enforce non-executable pages
CONFIG_GRKERNSEC_PAX_NOEXEC
By design some architectures do not allow for protecting memory
pages against execution or even if they do, Linux does not make
use of this feature. In practice this means that if a page is
readable (such as the stack or heap) it is also executable.
There is a well known exploit technique that makes use of this
fact and a common programming mistake where an attacker can
introduce code of his choice somewhere in the attacked program's
memory (typically the stack or the heap) and then execute it.
If the attacked program was running with different (typically
higher) privileges than that of the attacker, then he can elevate
his own privilege level (e.g. get a root shell, write to files for
which he does not have write access to, etc).
Enabling this option will let you choose from various features
that prevent the injection and execution of 'foreign' code in
a program.
This will also break programs that rely on the old behaviour and
expect that dynamically allocated memory via the malloc() family
of functions is executable (which it is not). Notable examples
are the XFree86 4.x server, the java runtime and wine.
^^^^^^^^^^^^
NOTE: you can use the 'chpax' utility to enable/disable this
feature on a per file basis. chpax is available at
<http://pageexec.virtualave.net>
I'm pretty sure something as invasive as grsecurity isn't part of the
default RedHat kernel, though...Maybe someone upgraded it without
telling you? Anyway, chpax'ing the JVM should fix it. From the path
it's using, tho
(/tmp/install.dir.22642/Linux/resource/jre/bin/i386/native_threads/java),
the installer seems to be copying the files around (I can't imagine
why...) so you might need to add the call to chpax to the install
script, or at least do it yourself will the script is executing. On the
other hand, perhaps whatever attribute chpax sets would be copied; then
you could just run it on the original JVM binary.
Alternatively, you could just use a non-PAX-enabled kernel.
--
Rob Weir <rweir at ertius.org> | mlspam at ertius.org | Do I look like I want a CC?
Words of the day: AVN David John Oates spy Vince Foster domestic disruption
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030710/588f488a/attachment.bin
More information about the linux
mailing list