security - Add stack protection removal flags to apache compilation script -

-

for study purposes i'd test buffer overflow exploits on old 1.3.x version of apache webserver. anyway have stack protection on, doesn't work or @ least think doesn't reason. in order disable protections have compile these flags:

-fno-stack-protector -z execstack

but don't know how add them apache compilation process..i never did this! can me?

try:

cflags="-fno-stack-protector" ldflags="-z execstack" ./configure [...]

cflags compiler, execstack linker option, should go in ldflags. or, if supported can compiler pass linker options -with -wl, so:

cflags="-fno-stack-protector -wl,-z,execstack" ./configure [...]

see install file in apache source archive more details.

it's useful inspect or compare generated top-level makefile, should see parameters in either or both of extra_cflags , extra_ldflags.

given task have, if you're running linux distribution has periodic pre-linking , aslr task, should check install apache path not processed, otherwise testing might complicated when apache binary "fixed" 1 night...

check if prelink installed with

 dpkg -l prelink      # ubuntu/debian derived  rpm -qv prelink      # centos/red hat derived

and check configuration (usually) in /etc/prelink.conf , 1 of: /etc/defaults/prelink or /etc/sysconfig/prelink .

on ubuntu (but not on centos/rh) directories under /usr/local/ (bin, sbin, lib) are included processing. if install apache default /usr/local/apache should untouched, or if want thorough can add directory blacklist (-b) line /etc/prelink.conf


Comments

Post a Comment

Popular posts from this blog

Capture and play voice with Asterisk ARI -

-
there channel ari demo in wich can control channel state: ring, answer, play silence, play tone or audio-file ( https://github.com/asterisk/ari-examples/tree/master/channel-state , https://wiki.asterisk.org/wiki/display/ast/ari+and+channels%3a+manipulating+channel+state ) possible receive chunks (parts, buffers, etc.) of call voice (which created remote subscriber) or write chunks of voice, example array of bytes (not file) in audio format (alaw, ulow etc). you can use asterisk eagi interface voice data. other option use record or mixmonitor app record channel(channel have put stasis allow dialplan control ari) "write chunks of voice" can done application playback also can create own application using c/c++, compile asterisk , result want. no, can't redirect voice directly using ari.
Read more

c - Unrecognised emulation mode: elf_i386 on MinGW32 -

-
i'm trying make kernel, , cannot link c output assembly. ld . i'm getting error: unrecognized emulation mode: elf_i386 i'm using windows 10 professional mingw32 , msys. code using: link.ld /* * link.ld */ output_format(elf32-i386) entry(start) sections { . = 0x100000; .text : { *(.text) } .data : { *(.data) } .bss : { *(.bss) } } kernel.c /* * kernel.c */ void kmain(void) { const char *str = "my first kernel"; char *vidptr = (char*)0xb8000; //video mem begins here. unsigned int = 0; unsigned int j = 0; /* loops clears screen * there 25 lines each of 80 columns; each element takes 2 bytes */ while(j < 80 * 25 * 2) { /* blank character */ vidptr[j] = ' '; /* attribute-byte - light grey on black screen */ vidptr[j+1] = 0x07; j = j + 2; } j = 0; /* loop writes string video memory */ while(str[j] != '\0') { /...
Read more

magic numbers - Java's checkstyle, MagicNumberCheck -

-
i using checkstyle reportings source-code. question magicnumbercheck . i using date/(org.joda.)datetime in source code this: datetime datetime = new datetime(2013, 2, 27, 23, 0): datetime.plushours(57); is there way suppress magicnumbercheck notifications if magic number within date or datetime? you can use suppressioncommentfilter check this. configure properties values (in checkstyle configuration file) <module name="suppressioncommentfilter"> <property name="offcommentformat" value="check\:off\: ([\w\|]+)"/> <property name="oncommentformat" value="check\:on\: ([\w\|]+)"/> <property name="checkformat" value="$1"/> </module> now required lines, can like //check:off: magicnumber datetime datetime = new datetime(2013, 2, 27, 23, 0): datetime.plushours(57); //check:on: magicnumber this suppress magicnumber checks , rest checks work here. you can su...
Read more