[static_cast]

Is a grsecurity[1] patched kernel safe? I only have a machine with a 2.6.32-grsec kernel, so I can't test the exploit.

In the features list they state:

    /proc/pid filedescriptor/memory protection

But I'm unaware how they implemented that.

1: http://grsecurity.net/features.php

[lloeki]

it affects only 2.6.39 and up.

EDIT: sorry, misread the parent.

[static_cast]

I know. I want to know if someone with a kernel >=2.6.39 and applied grsecurity patch can successfully use this exploit or if grsecurity protects from this exploit.

[pferde]

Just tried it on 3.0.4 with grsecurity enabled, and it didn't work, so there.

[static_cast]

Thanks. I guess It's finally time for me to move every machine to a grsecurity kernel.

[ColdAsIce]

Would you be interested in a grsecurity distro?

[static_cast]

I'd love to see up to date stable grsecurity kernel repositories for the major distributions (ubuntu, debian, rhel/centos) that provide patched versions of the distribution kernel. You can configure most of grsecurity via the sysctl interface. At the moment it is always a bit of hassle to patch & compile a kernel from hand even with the great debian/ubuntu kernel-package.

I don't think I'll use an extra distribution. But something like a hardened LAMP/LAPP stack for shared hosting out of the box in a distribution would be great (I think in terms of easy chrooting of users and php, secure permissions, etc.pp) However, I guess everyone has different needs and there is no one size that fits for all.