Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does bcrypt need an execstack? #17

Open
HemilTheRebel opened this issue Apr 3, 2019 · 9 comments
Open

Does bcrypt need an execstack? #17

HemilTheRebel opened this issue Apr 3, 2019 · 9 comments

Comments

@HemilTheRebel
Copy link

I cloned and downloaded bcrypt as per instructions. I wrote this sample code:

#include <iostream>
#include <bcrypt/BCrypt.hpp>

int main(){
        std::string password;

        std::cout << "Enter the password\n";
        std::getline(std::cin, password);

        BCrypt bcrypt;
        std::cout << bcrypt.generateHash(password) << "\n";
}

I compiled using g++ test.cpp -lbcrypt -Wl,-rpath=/usr/local/lib64 and it works. I then tried to incorporate bcrypt in my web app. The goal of the app is to add-users to a database. I am using bcrypt to hash the passwords. But my error_log says that

error while loading shared libraries: libbcrypt.so.1: cannot enable executable stack as shared object requires: Permission denied

If I disable SELinux, it works. But I don't want to do it. So I wanted to ask if bcrypt actually needs and executable stack? I am asking this cause one of the solutions when I googled the issue was to disable creation of executable stack for that library.

I am using fastcgi++ on Fedora 29 Workstation
@HemilTheRebel
Copy link
Author

When I look for permissions of libbcrypt in /usr/local/lib64, this it the output:

lrwxrwxrwx. 1 root root      14 Apr  1 19:33 libbcrypt.so -> libbcrypt.so.1
lrwxrwxrwx. 1 root root      18 Apr  1 19:33 libbcrypt.so.1 -> libbcrypt.so.1.0.0
-rwxr-xr-x. 1 root root   34416 Apr  1 19:32 libbcrypt.so.1.0.0

@HemilTheRebel
Copy link
Author

I disabled the execstack and everything works fine. But shouldn't it be the default?

@kriive
Copy link
Contributor

kriive commented Apr 4, 2019

On which architecture are you running libbcrypt?

@HemilTheRebel
Copy link
Author

I am on Intel's x86 @kriive

@kriive
Copy link
Contributor

kriive commented Apr 12, 2019

Okok, I'm working on a version where execstack is disabled: https://github.com/kriive/libbcrypt/tree/fix/issue-17
It's still in development, but if you want to check it out, it's there. Hopefully I can pull request as soon as I verify it's all good.

@HemilTheRebel
Copy link
Author

Thanks a lot. But I am curious to know under what circumstance does libbcrypt use an exec stack because I have it disabled. I am not a security expert but isn't it a security vulnerability? @kriive

@kriive
Copy link
Contributor

kriive commented Apr 12, 2019
edited
Loading

Yes, it could lead to a security vuln. libbcrypt does not need an executable stack. We should mark libbcrypt's stack as not executable asap.

@HemilTheRebel
Copy link
Author

Thank God it does not use an exec stack. Because it might have failed at times if it needed and exec stack as I had disabled it. Don't know how it slipped everyone's eyes. Thanks for the help. I really appreciate the quick response @kriive

@trusch
Copy link
Owner

trusch commented Nov 13, 2019

@kriive can you point out how to mark the stack? I'm not a selinux expert myself but I'd like to get this issue resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@trusch @kriive @HemilTheRebel