[rsbac] Non-executable stack etc. with PaX

Peter Busser peter at trusteddebian.org
Fri Feb 14 12:26:31 MET 2003


> After some questions about non-executable stack etc. I have downloaded and 
> tested the Pageexec patch from http://pageexec.virtualave.net/, which is also 
> part of grsecurity. It patches cleanly besides RSBAC and seems to work fine.

My experience with RSBAC, PaX and FreeS/WAN in one 2.4.18 kernel is that it not
reliable. I have still one machine left with this kernel version and it locked
up three times this morning. On the other hand, it might run fine for a week. I
saw this behaviour on different hardware and systems with different uses. But
of course it can be stable with some kernel configurations and instable with

One other thing is that in order to use this patch to the fullest, you have to
recompile every binary. Or at least every binary which is a potentially exposed
to buffer overflow attacks.

> Do you think PaX or something similar should be included in RSBAC, or is a 
> separate patch more useful?

PaX support in RSBAC would be useful for those who use it.

Peter Busser

More information about the rsbac mailing list