libbcrypt icon indicating copy to clipboard operation
libbcrypt copied to clipboard

Published 20 hours ago verified publisher icon trusch

Does bcrypt need an execstack?

Open HemilTheRebel opened this issue 5 years ago • 9 comments

I cloned and downloaded bcrypt as per instructions. I wrote this sample code:

#include <iostream>
#include <bcrypt/BCrypt.hpp>

int main(){
        std::string password;

        std::cout << "Enter the password\n";
        std::getline(std::cin, password);

        BCrypt bcrypt;
        std::cout << bcrypt.generateHash(password) << "\n";
}

I compiled using g++ test.cpp -lbcrypt -Wl,-rpath=/usr/local/lib64 and it works. I then tried to incorporate bcrypt in my web app. The goal of the app is to add-users to a database. I am using bcrypt to hash the passwords. But my error_log says that

error while loading shared libraries: libbcrypt.so.1: cannot enable executable stack as shared object requires: Permission denied

If I disable SELinux, it works. But I don't want to do it. So I wanted to ask if bcrypt actually needs and executable stack? I am asking this cause one of the solutions when I googled the issue was to disable creation of executable stack for that library.

I am using fastcgi++ on Fedora 29 Workstation

HemilTheRebel avatar Apr 03 '19 04:04 HemilTheRebel

When I look for permissions of libbcrypt in /usr/local/lib64, this it the output:

lrwxrwxrwx. 1 root root      14 Apr  1 19:33 libbcrypt.so -> libbcrypt.so.1
lrwxrwxrwx. 1 root root      18 Apr  1 19:33 libbcrypt.so.1 -> libbcrypt.so.1.0.0
-rwxr-xr-x. 1 root root   34416 Apr  1 19:32 libbcrypt.so.1.0.0

HemilTheRebel avatar Apr 03 '19 04:04 HemilTheRebel

I disabled the execstack and everything works fine. But shouldn't it be the default?

HemilTheRebel avatar Apr 04 '19 02:04 HemilTheRebel

On which architecture are you running libbcrypt?

kriive avatar Apr 04 '19 13:04 kriive

I am on Intel's x86 @kriive

HemilTheRebel avatar Apr 04 '19 15:04 HemilTheRebel

Okok, I'm working on a version where execstack is disabled: https://github.com/kriive/libbcrypt/tree/fix/issue-17 It's still in development, but if you want to check it out, it's there. Hopefully I can pull request as soon as I verify it's all good.

kriive avatar Apr 12 '19 12:04 kriive

Thanks a lot. But I am curious to know under what circumstance does libbcrypt use an exec stack because I have it disabled. I am not a security expert but isn't it a security vulnerability? @kriive

HemilTheRebel avatar Apr 12 '19 16:04 HemilTheRebel

Yes, it could lead to a security vuln. libbcrypt does not need an executable stack. We should mark libbcrypt's stack as not executable asap.

kriive avatar Apr 12 '19 16:04 kriive

Thank God it does not use an exec stack. Because it might have failed at times if it needed and exec stack as I had disabled it. Don't know how it slipped everyone's eyes. Thanks for the help. I really appreciate the quick response @kriive

HemilTheRebel avatar Apr 13 '19 07:04 HemilTheRebel

@kriive can you point out how to mark the stack? I'm not a selinux expert myself but I'd like to get this issue resolved.

trusch avatar Nov 13 '19 06:11 trusch