1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
kernel-patch-exec-shield for Debian
-------------------------------------
This patch provides exec-shield, a security feature that protects
against stack smashing and other exploits. Some documentation may be
found in these documents:
http://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
http://people.redhat.com/drepper/nonselsec.pdf
WARNING: The description below applies for the most recent exec-shield
patch. Since the implementation has changed a lot, it may not be valid
for earlier kernel versions. In particular the parameter values and
default settings below may have changed. Do not rely on them for older
kernels!
The exec-shield functionality can be controlled through the sysctl
variable `kernel.exec-shield'. The initial value of this variable can
be set using the `exec-shield' parameter on the kernel command
line. It can take the following values:
0 — Exec-shield is disabled.
1 — The kernel follows the PT_GNU_STACK flag when deciding whether a
binary should have executable stack. Binaries which do not have the
flag run with their stack executable.
2 — Same as 1, but binaries without the PT_GNU_STACK flag have
non-executable stack. This is the default setting.
Note that the default setting can cause programs to break if they are
not marked, but nevertheless do require an executable stack.
Changed settings only take effect for binaries loaded after that
point.
There is an additional sysctl variable `kernel.print-fatal-signals'
that, when set to 1, causes the kernel to print a message whenever a
process is killed by exec-shield.
-- Marcus Better <marcus@better.se>, Fri, 13 Oct 2006 10:58:38 +0200
|
