[racket] Racket on Centos?

From: Juan Francisco Cantero Hurtado (iam at juanfra.info)
Date: Sun Jan 18 15:10:30 EST 2015

Previous message: [racket] Racket on Centos?
Next message: [racket] Racket on Centos?
Messages sorted by: [date] [thread] [subject] [author]

On 01/18/2015 02:38 AM, Neil Van Dyke wrote:
>
> Neil Toronto wrote on 01/17/2015 07:57 PM:
>>
>> Ubuntu has had ASLR enabled by default since 10.04 (about five years).
>> During that time, in my experience, it's never affected Racket.
>>
>> I do have to use "setarch i686 -R" to disable ASLR to run Maxima,
>> which is written in Common Lisp. So it's a problem for some GC'd
>> runtimes, but apparently not our favorite one. :D
>
> You could be right; I'm fuzzy on this, due to one experience.  A few
> years ago, one of my clients ran into a problem with long-running Racket
> server processes on Ubuntu that (in native stack trace) looked like
> ASLR.   Problem disappeared once ASLR was disabled. They were probably
> still using the `cgc` (not `3m`) collector at that time, and it was
> probably around the time they migrated to Ubuntu Server 10.04.
>
> (Then again, they might've still had some C extensions in their Racket
> app at that time, so all bets are off.  The C code quality was good, as
> C code quality goes, but still.  I eventually replaced all the C code in
> that app with pure Racket and external native processes, for various
> other reasons.  A lot of uncontrolled variables here, but I recall no
> problems like the ones we thought were ASLR, since we disabled ASLR.  If
> it turns out that ASLR is a problem, it's a bad enough and
> hard-to-diagnose problem that everyone putting apps into production
> needs to know about it.)
>

ASLR is not a problem with racket, unless you build the libs as non-PIC 
and the binaries as non-PIE (i.e. changing the defaults).

The problem with the GCs and JITs are related to the mixing of 
executable and writable pages [1][2]. Linux allows partially this type 
of operations but some security-focused extensions like SELinux or 
grsecurity follow the opposite approach.

Fortunately, SELinux will notify which rule is violating racket.


1. 
https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Restrict_mprotect.28.29
2. 
https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Emulate_trampolines

Posted on the users mailing list.

Previous message: [racket] Racket on Centos?
Next message: [racket] Racket on Centos?
Messages sorted by: [date] [thread] [subject] [author]