[clug] ColdFusion MX on RedHat

Rob Weir rweir at ertius.org
Thu Jul 10 16:39:21 EST 2003 

On Wed, Jul 09, 2003 at 04:39:35PM +1000, Nathan_LeNevez at ausaid.gov.au wrote:
> coldfusion-60-linux-en.bin: line 1: 22743 Killed
> "/tmp/install.dir.22642/Linux/resource/jre/bin/java" -Djava.compiler=NONE
> -Xmx50331648 -Xms16777216 com.zerog.lax.LAX
> "/tmp/install.dir.22642/temp.lax" "/tmp/env.properties.22642" -i CONSOLE
> 
> A quick look at /var/log/messages shows this too:
> 
> Jul  9 16:36:19 picasso2 kernel: PAX: From 202.6.37.166: terminating task:
> /tmp/install.dir.22642/Linux/resource/jre/bin/i386/native_threads/java(java):22743,
>  uid/euid: 0/0, PC: 2e590fa4, SP: 5c1acd70
> Jul  9 16:36:19 picasso2 kernel: PAX: bytes at PC: 68 7f 02 00 00 d9 6c 24
> 00 58 c3 90 cc cc cc cc 00 00 00 00

Isn't PAX a security patch to the kernel which makes some memory regions
non-executable?  It's part of grsecurity (www.grsecurity.net, very
neat).  Having a look through the grsecurity kernel config options, I
see this:

Enforce non-executable pages
CONFIG_GRKERNSEC_PAX_NOEXEC
  By design some architectures do not allow for protecting memory
  pages against execution or even if they do, Linux does not make
  use of this feature.  In practice this means that if a page is
  readable (such as the stack or heap) it is also executable.

  There is a well known exploit technique that makes use of this
  fact and a common programming mistake where an attacker can
  introduce code of his choice somewhere in the attacked program's
  memory (typically the stack or the heap) and then execute it.

  If the attacked program was running with different (typically
  higher) privileges than that of the attacker, then he can elevate
  his own privilege level (e.g. get a root shell, write to files for
  which he does not have write access to, etc).

  Enabling this option will let you choose from various features
  that prevent the injection and execution of 'foreign' code in
  a program.

  This will also break programs that rely on the old behaviour and
  expect that dynamically allocated memory via the malloc() family
  of functions is executable (which it is not).  Notable examples
  are the XFree86 4.x server, the java runtime and wine.
                                  ^^^^^^^^^^^^

  NOTE: you can use the 'chpax' utility to enable/disable this
  feature on a per file basis.  chpax is available at
  <http://pageexec.virtualave.net>

I'm pretty sure something as invasive as grsecurity isn't part of the
default RedHat kernel, though...Maybe someone upgraded it without
telling you?  Anyway, chpax'ing the JVM should fix it.  From the path
it's using, tho
(/tmp/install.dir.22642/Linux/resource/jre/bin/i386/native_threads/java),
the installer seems to be copying the files around (I can't imagine
why...) so you might need to add the call to chpax to the install
script, or at least do it yourself will the script is executing.  On the
other hand, perhaps whatever attribute chpax sets would be copied; then
you could just run it on the original JVM binary.

Alternatively, you could just use a non-PAX-enabled kernel.

-- 
Rob Weir <rweir at ertius.org> | mlspam at ertius.org  |  Do I look like I want a CC?
Words of the day:     AVN David John Oates spy Vince Foster domestic disruption
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030710/588f488a/attachment.bin

More information about the linux mailing list