Re: [gentoo-hardened] Python stops working after upgrade

Tue, 28 May 2013 18:30:02 -0700 

On 05/28/2013 07:46 PM, "Tóth Attila" wrote:

I didn't laugh my ass ofter after discovering that python stopped working
after upgrade. Especially since the package management system depends on a
working python instance.
Right after emerging python-2.7.5:
paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
         PT_PAX    : -E---
         XATTR_PAX : not found

Let's put there the missing "m":
paxctl-ng -m /usr/bin/python2.7

Check back:
paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
         PT_PAX    : -Em--
         XATTR_PAX : -em--

If PT_PAX has E, python2.7 would not start on my system.
Let's correct that:
paxctl-ng -e /usr/bin/python2.7

Check back:
paxctl-ng -v /usr/bin/python2.7
/usr/bin/python2.7:
         PT_PAX    : -em--
         XATTR_PAX : -em--

Now python works again.

What should I properly configure the above mentioned behavior? Is it just
my system?
Something changed in the latest python upgrades because I'm having problems of a different nature. I'll have to investigate. 




I keep the habit of creating regular binary package archives.

In the mean time, freshly installed firefox binary is correct:
paxctl-ng -v /usr/lib64/firefox/bin/firefox
/usr/lib64/firefox/bin/firefox:
         PT_PAX    : -em--
         XATTR_PAX : -em--

Sidenote:
Even after running migrate-pax -m, there are binaries on the system having
only PT_PAX marking. Example:
migrate-pax -m
paxctl-ng -v /usr/bin/clear
/usr/bin/clear:
         PT_PAX    : -e---
         XATTR_PAX : not found

Is that expected?
Unfortunately it is very difficult to find everything that links against everything on a system. First there's just a simple logistic problem, going through all ELF on a system and running ldd (or readelf -d) is time consuming and likely to miss stuff. On gentoo with portage (not paludis!) we have linkage info in NEEDED.ELF.2 in vdb created at build time by examing linkage info, but this also can't be everything. Consider plugins that dlopen-ed at runtime. 

So something will be missed.

BUT!
That's not what's happening there. No XATTR_PAX flags implies the default markings which is "-e---". This is so we don't have to go around creating xattrs on every ELF binary on your system just to get the default. Upstream wanted it that way and it does make sense. 

Hope that makes sense.



Regards:
Dw.




--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Reply via email to