View previous topic :: View next topic |
Author |
Message |
simpsonb n00b
Joined: 23 Dec 2002 Posts: 12
|
Posted: Tue Jun 10, 2003 10:54 pm Post subject: grsec & chpax to allow running java and others |
|
|
Edited title for move to docs tips and tricks. Puggy
I have just built a new system running Gentoo 1.4 rc4 from a stage1. Everything seems to be working ok except java. When I run java it responds back with a killed. I've tried blackdown-jdk, sun-jdk (1.3.1.08 and 1.4.1.02) to no avail. I've also run env-update and source /etc/profile each time. Any ideas?
Here's my env output.
Code: |
impmail env.d # env
MANPATH=/usr/share/man:/usr/local/share/man:/usr/share/gcc-data/i686-pc-linux-gnu/3.2/man:/usr/X11R6/man
INFODIR=/usr/share/info:/usr/X11R6/info
HOSTNAME=impmail.dnsalias.com
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=192.168.0.79 33949 22
QTDIR=/usr/qt/3
OLDPWD=/opt
SSH_TTY=/dev/pts/0
USER=root
PAGER=/usr/bin/less
XINITRC=/etc/X11/xinit/xinitrc
MAIL=/var/mail/root
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.2:/usr/X11R6/bin:/opt/sun-jdk-1.4.1.02/bin: /opt/sun-jdk-1.4.1.02/jre/bin:/usr/qt/3/bin
INPUTRC=/etc/inputrc
PWD=/etc/env.d
JAVA_HOME=/opt/sun-jdk-1.4.1.02
EDITOR=/bin/nano
JAVAC=/opt/sun-jdk-1.4.1.02/bin/javac
QMAKESPEC=linux-g++
PS1=\[\033[01;31m\]\h \[\033[01;34m\]\W \$ \[\033[00m\]
CXX=g++
JDK_HOME=/opt/sun-jdk-1.4.1.02
SHLVL=1
HOME=/root
LESS=-R
LOGNAME=root
CVS_RSH=ssh
CLASSPATH=/opt/sun-jdk-1.4.1.02/jre/lib:/opt/sun-jdk-1.4.1.02/lib/tools.jar:/usr/share/ant/lib/*.jar:.
SSH_CONNECTION=192.168.0.79 33949 192.168.0.1 22
LESSOPEN=|lesspipe.sh %s
INFOPATH=/usr/share/info:/usr/share/gcc-data/i686-pc-linux-gnu/3.2/info
CC=gcc
DISPLAY=localhost:10.0
CONFIG_PROTECT=/usr/X11R6/lib/X11/xkb
_=/usr/bin/env
|
Code: |
impmail env.d # java -version
Killed
|
|
|
Back to top |
|
|
sulu Guru
Joined: 21 May 2002 Posts: 399 Location: Dornbirn/Austria
|
Posted: Wed Jun 11, 2003 5:19 am Post subject: |
|
|
You could try an strace on java to see what libraries are getting called and maybe hereby identify the culprit.
See man strace for info. |
|
Back to top |
|
|
Yarrick Bodhisattva
Joined: 05 Jun 2002 Posts: 304 Location: Malmö, Sweden
|
Posted: Wed Jun 11, 2003 10:13 am Post subject: |
|
|
my friend had his grsecurity kernel killing java. do you use grsecurity? |
|
Back to top |
|
|
simpsonb n00b
Joined: 23 Dec 2002 Posts: 12
|
Posted: Wed Jun 11, 2003 11:06 am Post subject: |
|
|
Yes I do have grsecurity enabled at high. I'll disable it and give it another try. Thanks,
Brett |
|
Back to top |
|
|
Yarrick Bodhisattva
Joined: 05 Jun 2002 Posts: 304 Location: Malmö, Sweden
|
Posted: Wed Jun 11, 2003 3:37 pm Post subject: |
|
|
You can also locate the java executable file and in some way allow it to do what it was killed for. dont remember the command/syntax though |
|
Back to top |
|
|
simpsonb n00b
Joined: 23 Dec 2002 Posts: 12
|
Posted: Wed Jun 11, 2003 4:05 pm Post subject: |
|
|
Recompiling my kernel without GR security allowed the java command to work. Thanks. |
|
Back to top |
|
|
paranode l33t
Joined: 06 Mar 2003 Posts: 679 Location: Texas
|
Posted: Mon Jul 14, 2003 3:45 pm Post subject: |
|
|
I just thought I'd bump this thread since I found out a workaround for this without disabling Grsecurity. Thanks to Method and solar in #gentoo-hardened.
You need to:
And you need to do for all the binaries in /opt/blackdown-jdk-1.4.1/bin.
You can emerge gradm to have a script at /etc/init.d/grsecurity for setting this permanently. I haven't played with it yet.
This fixed an issue I was having with gettext not compiling and my realizing that java wouldn't run under my Grsecurity kernel without this. Hope that helps someone else too! _________________ Meh. |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Tue Feb 24, 2004 7:07 pm Post subject: |
|
|
Great tip paranode, but its slightly more complicated than that. Doing chpax -rs is all very well if its randomize mmap() base [ELF only] and enforce segmentation based non-executable pages which are preventing it from running.
chpax has a few other options as well. In my case, -p was what was required to deactivate enforce paging based non-executable pages.
will tell you the options of course and to tell which ones you need to turn off, consult your grsec policies in the kernel.
Also, chpax has an init script so that can be used to set things always on boot.
Great tip though, and now its complete, off it goes to docs, tips and tricks.
Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
coutts99 Apprentice
Joined: 19 Sep 2002 Posts: 171 Location: Sunderland, UK
|
Posted: Sun Oct 17, 2004 8:29 am Post subject: |
|
|
Thank you for this thread!! |
|
Back to top |
|
|
|