RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2

From: Felipe Alfaro Solana
Date: Wed Jun 09 2004 - 14:59:05 EST

Next message: Nguyen, Tom L: "Re: 2.6.7-rc3-mm1"
Previous message: William Lee Irwin III: "Re: 2.6.7-rc3-mm1"
In reply to: Evaldo Gardenali: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Next in thread: Stefanos Harhalakis: "Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-06-09 at 19:14 +0200, Jesper Juhl wrote:

> Just having the abillity to turn protection off opens the door. If it is
> possible to turn it off then a way will be found to do it - either via
> buggy kernel code or otherwhise. Only safe approach is to have it
> enabled by default and not be able to turn it off IMHO.

Much like LIDS works... You can configure, at build time, the kernel so
you can't switch the LIDS protection at all. Moreover, in case you want
to allow switching LIDS on/off, you can restrict such change to a
program that is running, at most, at the console, or over a serial line.

IMHO, I think that by definition, and programatically, allowing NX/
ExecShield to be turned on and off is an exploitable way of cracking a
system. I'd better like the LIDS approach.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nguyen, Tom L: "Re: 2.6.7-rc3-mm1"
Previous message: William Lee Irwin III: "Re: 2.6.7-rc3-mm1"
In reply to: Evaldo Gardenali: "RE: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Next in thread: Stefanos Harhalakis: "Re: WINE + NX (No eXecute) support for x86, 2.6.7-rc2-bk2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]