Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 38662 - java, javac, jar, etc. die
Summary: java, javac, jar, etc. die
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High critical (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-18 16:09 UTC by Trevor Clarke
Modified: 2004-01-20 21:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Trevor Clarke 2004-01-18 16:09:59 UTC 
blackdown jdk and sun jdk programs return immediated with "Killed" I can only execute java -help  happens with javac, jar, etc. as well

I set the system jdk and paths as detailed in the gentoo java doc. I even tried manually installing Sun's JDK (1.4.2_03).

The system is a near virgin gentoo install with a couple of ebuilds added.

Reproducible: Always
Steps to Reproduce:
1.java
2.
3.

Actual Results:  
$ java
Killed
$

Expected Results:  
run a java program, complain about no main method, etc.

Portage 2.0.49-r21 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r3, 2.4.20-gentoo-r6)
=================================================================
System uname: 2.4.20-gentoo-r6 i686 Pentium III (Katmai)
Gentoo Base System version 1.4.3.10
ccache version 2.3 [enabled]
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O3 -march=pentium3 -fprefetch-loop-arrays -funroll-loops -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/gconf /etc/env.d"
CXXFLAGS="-O3 -march=pentium3 -fprefetch-loop-arrays -funroll-loops -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="ftp://csociety-ftp.ecn.purdue.edu/pub/gentoo/
http://mirrors.tds.net/gentoo http://csociety-ftp.ecn.purdue.edu/pub/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl acpi afs apache2 avi berkdb crypt cups dedicated doc encode foomaticdb
gdbm gif gpm gtk2 icc imlib ipv6 java jikes jpeg libg++ libwww mad matrox mpeg
mpi ncurses oggvorbis oss pam pdflib perl png postgres python quicktime readline
samba sasl slang slp spell sse ssl svga tiff x86 xml2 zlib"
Comment 1 Adrian Almenar 2004-01-18 18:55:32 UTC 
Are you using grsecurity enabled in your kernel ?
Comment 2 Trevor Clarke 2004-01-18 19:33:03 UTC 
Yes, I assume that's the problem. Should I remove it completely or is there a specific setting that should be changed?
Comment 3 Adrian Almenar 2004-01-18 21:26:07 UTC 
Please assing this bug to somebody with GRSecurity Knowledge and/or PAX Knowledge.
Comment 4 Trevor Clarke 2004-01-19 08:03:33 UTC 
Now that I know what the problem was, I looked through some of the documentation and figure out how to use chpax. I have fixed the problem with chpax -s /opt/black.../bin/*   Thanks for the assitance.
Comment 5 solar (RETIRED) gentoo-dev 2004-01-20 21:30:50 UTC 
Trevor,
This falls under known issues for us.

Java by design requires the full address space to be RWX and not executable base address to be randomized. This means you can't really have PaX protect all of it. However a work around is available to you so you don't have to disable PaX system wide on your system at all.

Here are your options.

option 1) (Suggested)

emerge chpax
/etc/init.d/chpax start

At this point it will set all the proper pax flags on the java binaries and
other files you may have installed. 
these as defined by the filenames in /etc/conf.d/chpax
and I try to keep that file as up2date when end users report known other binaries that for one reason or another need special PaX flags set to function.

# Note: The md5sum's will change on all the ELF executables at this time as chpax will write a one byte flag in the ELF eheader.

option 2)

chpax -spr /opt/*jdk*/{jre,}/bin/*

-- Using the tool scanelf from pax-utils.
My working java looks like this.

solar@simple / $ scanelf /opt/*jdk*/{jre,}/bin
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/java
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/keytool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/policytool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/kinit
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/klist
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/ktab
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/rmiregistry
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/rmid
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/orbd
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/servertool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/tnameserv
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/jre/bin/java_vm
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/java
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javac
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javadoc
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javah
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/idlj
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/keytool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jarsigner
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/policytool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/kinit
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/klist
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/ktab
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jar
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/appletviewer
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmic
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmiregistry
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/rmid
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/javap
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/native2ascii
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/serialver
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/orbd
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/servertool
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/tnameserv
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/extcheck
peMrxs ET_EXEC /opt/blackdown-jdk-1.4.1_beta/bin/jdb
Comment 6 solar (RETIRED) gentoo-dev 2004-01-20 21:31:19 UTC 
I'm supprised you got it to work at all without the -r