Hi,

trying to get CDP backup solution to run. It needs a kernel module. I have put it at S98 in rc3.
But service does not load.

#service cdp-server start
./cdpserver: error while loading shared libraries: libjvm.so: cannot enable executable stack as shared object requires: Permission denied
/etc/init.d/cdp-server : cdpserver could not be started

# rpm -qf /usr/sbin/r1soft/jre/lib/amd64/server/libjvm.so
r1soft-cdp-server-4.0.1-17213.x86_64

Is "execstack"-ing it the solution?
Or do I need to turn of ALLOW_kmod_loading?
Checked the wiki but not sure whats the best way:
https://www.atomicorp.com/wiki/index.ph ... t_requires

tested execstack -c /usr/sbin/r1soft/jre/lib/amd64/server/libjvm.so
with being able to execute the command but service does not start

tested execstack -c /usr/sbin/r1soft/bin/cdpserver with no success too

switched off ALLOW_kmod_loading for testing. still not working
ASL logs:
servername kernel: cdpserver[26657]: segfault at 36863abbbd80 ip 000036863a9a4146 sp 0000725d98df2110 error 7 in ld-2.12.so[36863a99c000+20000]
servername kernel: grsec: From IP_I'm_coming_from: Segmentation fault occurred at 000036863abbbd80 in /usr/sbin/r1soft/bin/cdpserver[cdpserver:26657] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/r1soft/bin/cdpserver[cdpserver:26655] uid/euid:0/0 gid/egid:0/0

without ASL kernel it works.

Thanks a lot.

Please see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... t_requires

The secure kernel is protecting you from a dagerously insecure application. Its opening a giant hole in your system, and the kernel is stopping it. A non-ASL kernel doesnt care, it will happily let an application rip the kernel wide open.



No you do not need to allow that. Its not necessary.



So what error does your insecure application produce when you try to start it? Looking a the library involved it looks like you may be trying to start java. If that is correct, then please see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... ped_by_PAX



The kernel is just reporting that your application segfaulted. It doesnt cause this. Non-ASL kernels do not log segfaults (although they still occur), the ASL just happens to log these.

Thanks Mike for your feedback. Yes, it's trying to load java.

Scott took care of the ticket and updated gradm. Together with my feedback we could pinpoint the "root" of the problem.
I have posted my last questions in the ticket. It's case no. #16131

It's a backup software. I'm not an expert in coding but I do know that certain features of applications like this will lower your security. Almost any backup solution except simple tar are causing security risks. At least I havent found a good, simple and end customer orientated backup solution that does not bring security risks with it.

It's always a mix of security and functionality. And I'm trying to find my (not the!) best way between backup, which brings another sort/layer of security, and "real" security and risk prevention.