Bug 191216

Summary: Security appears to be getting worse on newer installs
Product: Red Hat Enterprise Linux 4 Reporter: Chris <chris>
Component: kernelAssignee: Ingo Molnar <mingo>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 16:03:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris 2006-05-09 19:59:24 UTC 
Lots of incorrect execstack markings and poor memory mappings.

Red Hat Enterprise Linux ES release 4 (Nahant Update 3)

How reproducible:

Grab the pax-utils rpm or source code from gentoo. I found an older rpm here.
http://dev.gentoo.org/~solar/packages/rpm/pax-utils-0.1.10-1.i386.rpm
and the sourceball here 
http://dev.gentoo.org/~solar/pax/pax-utils-0.1.12.tar.bz2

Then run. rpm -qal | scanelf -f - -qey

Actual results:
[root@web02 ~]# rpm -qal | scanelf -f - -qey
RWX --- ---  /usr/X11R6/lib/libOSMesa.so.4.0
RWX --- ---  /usr/X11R6/lib/libOSMesa.so.4.0
RWX --- ---  /usr/lib/libdv.so.4.0.1
RWX --- ---  /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
RWX --- ---  /sbin/insmod.static
RWX --- ---  /sbin/nash
RWX --- ---  /usr/X11R6/lib/libOSMesa.so.4.0
RWX --- ---  /usr/bin/eu-nm
RWX --- ---  /usr/lib/libFLAC.so.4.1.2
RWX --- ---  /usr/lib/libstdc++-3-libc6.2-2-2.10.0.so
RWX --- ---  /usr/lib/libgnat-3.4.so.1
RWX --- ---  /usr/lib/libbeecrypt.so.6.2.0
RWX --- ---  /usr/lib/libbogl.so.0.1
RWX --- ---  /usr/lib/libqthreads.so.12.3.0
RWX --- ---  /usr/lib/libdv.so.4.0.1
RWX --- ---  /sbin/insmod.static
RWX --- ---  /usr/lib/libqthreads.so.12.3.0
RWX --- ---  /usr/lib/libbogl.so.0.1
RWX --- ---  /usr/lib/libbeecrypt.so.6.2.0
RWX --- ---  /sbin/nash
RWX --- ---  /usr/bin/eu-nm
RWX --- ---  /usr/lib/libFLAC.so.4.1.2
RWX --- ---  /usr/lib/gstreamer-0.8/libgstgetbits.so
RWX --- ---  /usr/lib/gstreamer-0.8/libgstgetbits.so
RWX --- ---  /usr/lib/libgnat-3.4.so.1
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtend.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtbeginS.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtendS.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtbegin.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtbegin.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtbeginS.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtend.o
!WX --- ---  /usr/lib/gcc-lib/i386-redhat-linux/2.96/crtendS.o

Expected results:
When using an enterprise distribution I expect to not have to worry 
about my severs becoming compromised while I sleep. 
See our RHES boxes be as secure by default from the many classes of vulns.

Additional info:
On an older Red Hat Enterprise Linux ES release 3 (Taroon Update 6) server 
we have somewhat properly mmaped segments.

00111000-0011d000 r-xp 00000000 03:02 2586272    /usr/lib/libz.so.1.1.4
0011d000-0011f000 rw-p 0000b000 03:02 2586272    /usr/lib/libz.so.1.1.4
00162000-0016d000 r-xp 00000000 03:02 1047943    /lib/libnss_files-2.3.2.so
0016d000-0016e000 rw-p 0000a000 03:02 1047943    /lib/libnss_files-2.3.2.so
001ba000-001cc000 r-xp 00000000 03:02 1047652    /lib/libnsl-2.3.2.so
001cc000-001cd000 rw-p 00011000 03:02 1047652    /lib/libnsl-2.3.2.so
001cd000-001cf000 rw-p 00000000 00:00 0
001db000-001e2000 r-xp 00000000 03:02 2586266    /usr/lib/libwrap.so.0.7.6
001e2000-001e3000 rw-p 00006000 03:02 2586266    /usr/lib/libwrap.so.0.7.6
001e3000-001e4000 rw-p 00000000 00:00 0
00232000-00234000 r-xp 00000000 03:02 1048093    /lib/libdl-2.3.2.so
00234000-00235000 rw-p 00001000 03:02 1048093    /lib/libdl-2.3.2.so
002f9000-00355000 r-xp 00000000 03:02 6383554    /usr/kerberos/lib/libkrb5.so.3.1
00355000-00357000 rw-p 0005c000 03:02 6383554    /usr/kerberos/lib/libkrb5.so.3.1
003ac000-003ae000 r-xp 00000000 03:02 1047603    /lib/libutil-2.3.2.so
003ae000-003af000 rw-p 00001000 03:02 1047603    /lib/libutil-2.3.2.so
003c8000-003d9000 r-xp 00000000 03:02 6384178   
/usr/kerberos/lib/libk5crypto.so.3.0
003d9000-003da000 rw-p 00011000 03:02 6384178   
/usr/kerberos/lib/libk5crypto.so.3.0
0050b000-0050c000 r-xp 00000000 03:02 6384171    /usr/kerberos/lib/libcom_err.so.3.0
0050c000-0050d000 rw-p 00001000 03:02 6384171    /usr/kerberos/lib/libcom_err.so.3.0
0050d000-00640000 r-xp 00000000 03:02 491819     /lib/tls/libc-2.3.2.so
00640000-00643000 rw-p 00132000 03:02 491819     /lib/tls/libc-2.3.2.so
00643000-00646000 rw-p 00000000 00:00 0
00794000-007a9000 r-xp 00000000 03:02 1047600    /lib/ld-2.3.2.so
007a9000-007aa000 rw-p 00015000 03:02 1047600    /lib/ld-2.3.2.so
007e4000-007eb000 r-xp 00000000 03:02 1047619    /lib/libpam.so.0.75
007eb000-007ec000 rw-p 00007000 03:02 1047619    /lib/libpam.so.0.75
00849000-0084b000 r-xp 00000000 03:02 1047568    /lib/liblaus.so.1.0.0
0084b000-0084c000 rw-p 00001000 03:02 1047568    /lib/liblaus.so.1.0.0
00b42000-00c1f000 r-xp 00000000 03:02 1053117    /lib/libcrypto.so.0.9.7a
00c1f000-00c31000 rw-p 000dd000 03:02 1053117    /lib/libcrypto.so.0.9.7a
00c31000-00c34000 rw-p 00000000 00:00 0
00d61000-00d73000 r-xp 00000000 03:02 6383564   
/usr/kerberos/lib/libgssapi_krb5.so.2.2
00d73000-00d74000 rw-p 00012000 03:02 6383564   
/usr/kerberos/lib/libgssapi_krb5.so.2.2
00e46000-00e55000 r-xp 00000000 03:02 1047597    /lib/libresolv-2.3.2.so
00e55000-00e56000 rw-p 0000f000 03:02 1047597    /lib/libresolv-2.3.2.so
00e56000-00e58000 rw-p 00000000 00:00 0
08048000-08089000 r-xp 00000000 03:02 1080603    /usr/sbin/sshd
08089000-0808b000 rw-p 00040000 03:02 1080603    /usr/sbin/sshd
0808b000-0808f000 rw-p 00000000 00:00 0
099d3000-099f4000 rw-p 00000000 00:00 0
b75ee000-b75f2000 rw-p 00000000 00:00 0
bfff8000-c0000000 rw-p ffff9000 00:00 0

However version 4 has shit memory for segments. Notice the rwxp everywhere.
Every single program system wide is like this. And older RHES-3 installs did not 
suffer from this problem.

[root@web02 ~]# cat /proc/10891/maps 
00111000-00113000 r-xp 00000000 09:02 4213589    /lib/libutil-2.3.4.so
00113000-00115000 rwxp 00001000 09:02 4213589    /lib/libutil-2.3.4.so
00115000-00122000 r-xp 00000000 09:02 4213580    /lib/libselinux.so.1
00122000-00123000 rwxp 0000d000 09:02 4213580    /lib/libselinux.so.1
00123000-00124000 r-xp 00000000 09:02 4210821    /lib/security/pam_deny.so
00124000-00125000 rwxp 00000000 09:02 4210821    /lib/security/pam_deny.so
00125000-00131000 r-xp 00000000 09:02 4210853    /lib/security/pam_unix.so
00131000-00132000 rwxp 0000b000 09:02 4210853    /lib/security/pam_unix.so
00132000-0013e000 rwxp 00132000 00:00 0 
0013e000-00142000 r-xp 00000000 09:02 4210849    /lib/security/pam_succeed_if.so
00142000-00143000 rwxp 00004000 09:02 4210849    /lib/security/pam_succeed_if.so
0015e000-00232000 r-xp 00000000 09:02 4213584    /lib/libcrypto.so.0.9.7a
00232000-00244000 rwxp 000d4000 09:02 4213584    /lib/libcrypto.so.0.9.7a
00244000-00247000 rwxp 00244000 00:00 0 
00300000-00313000 r-xp 00000000 09:02 23080035   /usr/lib/libgssapi_krb5.so.2.2
00313000-00314000 rwxp 00013000 09:02 23080035   /usr/lib/libgssapi_krb5.so.2.2
0034b000-0034d000 r-xp 00000000 09:02 4213581    /lib/libdl-2.3.4.so
0034d000-0034f000 rwxp 00001000 09:02 4213581    /lib/libdl-2.3.4.so
00384000-0038d000 r-xp 00000000 09:02 4210738    /lib/libnss_files-2.3.4.so
0038d000-0038f000 rwxp 00008000 09:02 4210738    /lib/libnss_files-2.3.4.so
003a8000-003ab000 r-xp 00000000 09:02 4210819    /lib/security/pam_cracklib.so
003ab000-003ac000 rwxp 00002000 09:02 4210819    /lib/security/pam_cracklib.so
003ac000-003b0000 rwxp 003ac000 00:00 0 
00458000-004bb000 r-xp 00000000 09:02 23080034   /usr/lib/libkrb5.so.3.2
004bb000-004bd000 rwxp 00063000 09:02 23080034   /usr/lib/libkrb5.so.3.2
004d4000-004e6000 r-xp 00000000 09:02 4213588    /lib/libnsl-2.3.4.so
004e6000-004e8000 rwxp 00011000 09:02 4213588    /lib/libnsl-2.3.4.so
004e8000-004ea000 rwxp 004e8000 00:00 0 
00528000-0052d000 r-xp 00000000 09:02 4210830    /lib/security/pam_limits.so
0052d000-0052e000 rwxp 00004000 09:02 4210830    /lib/security/pam_limits.so
00564000-00565000 r-xp 00000000 09:02 4210833    /lib/security/pam_loginuid.so
00565000-00566000 rwxp 00001000 09:02 4210833    /lib/security/pam_loginuid.so
00573000-00579000 r-xp 00000000 09:02 23074793   /usr/lib/libcrack.so.2.7
00579000-0057a000 rwxp 00006000 09:02 23074793   /usr/lib/libcrack.so.2.7
0057a000-0057e000 rwxp 0057a000 00:00 0 
005b7000-005b9000 r-xp 00000000 09:02 4210837    /lib/security/pam_nologin.so
005b9000-005ba000 rwxp 00001000 09:02 4210837    /lib/security/pam_nologin.so
005be000-005d3000 r-xp 00000000 09:02 4213577    /lib/ld-2.3.4.so
005d3000-005d4000 r-xp 00015000 09:02 4213577    /lib/ld-2.3.4.so
005d4000-005d5000 rwxp 00016000 09:02 4213577    /lib/ld-2.3.4.so
00606000-0060c000 r-xp 00000000 09:02 23076554   /usr/lib/libwrap.so.0.7.6
0060c000-0060d000 rwxp 00006000 09:02 23076554   /usr/lib/libwrap.so.0.7.6
00677000-00686000 r-xp 00000000 09:02 4213583    /lib/libresolv-2.3.4.so
00686000-00688000 rwxp 0000f000 09:02 4213583    /lib/libresolv-2.3.4.so
00688000-0068a000 rwxp 00688000 00:00 0 
006b0000-006b4000 r-xp 00000000 09:02 4210735    /lib/libnss_dns-2.3.4.so
006b4000-006b6000 rwxp 00003000 09:02 4210735    /lib/libnss_dns-2.3.4.so
006ef000-006f6000 r-xp 00000000 09:02 4213593    /lib/libpam.so.0.77
006f6000-006f7000 rwxp 00007000 09:02 4213593    /lib/libpam.so.0.77
006f7000-0081b000 r-xp 00000000 09:02 4213578    /lib/tls/libc-2.3.4.so
0081b000-0081c000 r-xp 00124000 09:02 4213578    /lib/tls/libc-2.3.4.so
0081c000-0081f000 rwxp 00125000 09:02 4213578    /lib/tls/libc-2.3.4.so
0081f000-00821000 rwxp 0081f000 00:00 0 
0086d000-008b7000 r-xp 00000000 09:02 23077469   /usr/sbin/sshd
008b7000-008b9000 rwxp 0004a000 09:02 23077469   /usr/sbin/sshd
008b9000-008bd000 rwxp 008b9000 00:00 0 
00bc5000-00be5000 r-xp 00000000 09:02 23073470   /usr/lib/libk5crypto.so.3.0
00be5000-00be6000 rwxp 00020000 09:02 23073470   /usr/lib/libk5crypto.so.3.0
00c03000-00c08000 r-xp 00000000 09:02 4213586    /lib/libcrypt-2.3.4.so
00c08000-00c0a000 rwxp 00004000 09:02 4213586    /lib/libcrypt-2.3.4.so
00c0a000-00c31000 rwxp 00c0a000 00:00 0 
00c65000-00c6f000 r-xp 00000000 09:02 4213560    /lib/libaudit.so.0.0.0
00c6f000-00c73000 rwxp 00009000 09:02 4213560    /lib/libaudit.so.0.0.0
00d91000-00d94000 r-xp 00000000 09:02 4210847    /lib/security/pam_stack.so
00d94000-00d95000 rwxp 00002000 09:02 4210847    /lib/security/pam_stack.so
00e37000-00e46000 r-xp 00000000 09:02 23080036   /usr/lib/libz.so.1.2.1.2
00e46000-00e47000 rwxp 0000e000 09:02 23080036   /usr/lib/libz.so.1.2.1.2
00eff000-00f00000 r-xp 00000000 09:02 4210838    /lib/security/pam_permit.so
00f00000-00f01000 rwxp 00000000 09:02 4210838    /lib/security/pam_permit.so
00f27000-00f2a000 r-xp 00000000 09:02 4210822    /lib/security/pam_env.so
00f2a000-00f2b000 rwxp 00002000 09:02 4210822    /lib/security/pam_env.so
00f53000-00f55000 r-xp 00000000 09:02 4213582    /lib/libcom_err.so.2.1
00f55000-00f56000 rwxp 00001000 09:02 4213582    /lib/libcom_err.so.2.1
0961d000-09699000 rw-p 0961d000 00:00 0 
b7d45000-b7e85000 rw-s 00000000 00:06 125321     /dev/zero (deleted)
b7e85000-b7fc5000 rw-s 00000000 00:06 125306     /dev/zero (deleted)
b7fd5000-b7fda000 rw-p b7fd5000 00:00 0 
bfe5c000-c0000000 rw-p bfe5c000 00:00 0 
ffffe000-fffff000 ---p 00000000 00:00 0
Comment 1 Jakub Jelinek 2006-05-22 15:39:33 UTC 
If your CPU doesn't support NX, then execshield only protects against execution
the continuous chunk of memory from the end of highest VMA that needs executable
permissions till the end of address space.
There really is no difference in this between RHEL3 and RHEL4, just
RHEL4 /proc/*/maps make this explicit (not sure if that's intentional or not).
glibc certainly uses the right mmap/mprotect flags, so that only pages that
need execution are executable, the rest is kernel thing.

From the first list, libgnat*.so (and other Ada related stuff) are intentionally
PT_GNU_STACK RWE, as Ada needs executable trampolines on most platforms.
But the libraries are also flagged with DF_1_NOOPEN, so they can't be dlopened.
GCC 2.96-RH crt files are not marked at all, because exec stack marking was only
added in much later GCC versions and these are only included for compatibility.
Comment 2 Jiri Pallich 2012-06-20 16:03:28 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.