Hot off the presses: Digital Engineering has developed an non-exec-stack patch for Digital Unix 4.0D. This must be applied *ONLY* to Digital Unix 4.0D with the BL11 jumbo patch kit #3 installed. I do not know if Compaq plans on incorporating this into 4.0E or into any future or prior releases. BL11/PK3 for DU4.0D can be obtained at: ftp://ftp.service.digital.com/public/dunix/v4.0d/duv40das00003-19990208.tar After installing this patch kit download the following two files: ftp://xfer.service.digital.com/to_customer/proc.mod ftp://xfer.service.digital.com/to_customer/std_kern.mod Then do something of this nature to move them into /sys/BINARY, while preserving the original files (you'll probably need them for future patch kits): mv /sys/BINARY/proc.mod /sys/BINARY/proc.mod.orig mv /sys/BINARY/std_kern.mod /sys/BINARY/std_kern.mod.orig mv proc.mod /sys/BINARY mv std_kern.mod /sys/BINARY Rebuild your kernel (cd /sys/conf/<WHATEVER>; doconfig -c <WHATEVER>), reinstall your kernel and reboot. The stack will now be non-executable by default. To change this add the line: proc: executable_stack = 1 to /etc/sysconfigtab -- there is no need to reboot. Alternatively, as root issue the command: # sysconfig -r proc executable_stack=1 Of course, set this value to zero if you want non-exec-stack again. I tested this against /usr/bin/mh/inc, nsralist and /usr/bin/rdist and it worked quite nicely in all cases -- setting executable_stack=1 turned back on the vulnerability. Of course this patch may cause certain programs (like compilers) to break, keep this in mind, it may not be appropriate for workstations that have a lot of development work on them. It will probably be a good thing for servers and general-access machines though. And remember, *ONLY* for DU4.0D with BL11. -- Lamont Granquist lamontgat_private Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontgat_private | pgp -fka
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:06 PDT