Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

paxctl(1) [debian man page]

paxctl(1)								PaX								 paxctl(1)

NAME

       paxctl - user-space utility to control PaX flags

SYNTAX

       paxctl <flags> <files>

DESCRIPTION

       paxctl  is  a tool that allows PaX flags to be modified on a per-binary basis.  PaX is part of common security-enhancing kernel patches and
       secure distributions, such as GrSecurity and Hardened Gentoo, respectively.  Your system needs to be running a properly patched and config-
       ured kernel for this program to have any effect.

       -P     enforce paging based non-executable pages (PAGEEXEC)

       -p     do not enforce paging based non-executable pages (NOPAGEEXEC)

       -E     emulate trampolines (EMUTRAMP)

       -e     do not emulate trampolines (NOEMUTRAMP)

       -M     enforce secure memory protections (MPROTECT)

       -m     do not enforce secure memory protections (NOMPROTECT)

       -R     randomize memory regions (RANDMMAP)

       -r     do not randomize memory regions (NORANDMMAP)

       -X     randomize base address of normal (ET_EXEC) executables (RANDEXEC)

       -x     do not randomize base address of normal (ET_EXEC) executables (NORANDEXEC)

       -S     enforce segmentation based non-executable pages (SEGMEXEC)

       -s     do not enforce segmentation based non-executable pages (NOSEGMEXEC)

       -v     view flags

       -z     reset all flags (further flags still apply)

       -c     create the PT_PAX_FLAGS program header if it does not exist by converting the PT_GNU_STACK program header if it exists

       -C     create the PT_PAX_FLAGS program header if it does not exist by adding a new program header, if it is possible

       -q     suppress error messages

       -Q     report flags in short format

CAVEATS

       The  old  PaX flag location and control method have been obsoleted, if your kernel and binaries use it you have to use chpax(1) instead (it
       is recommended to use PT_PAX_FLAGS along with -c or -C however).

       Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in the former is destroyed, in particular you must make sure that  the
       EMUTRAMP  PaX  option  is  properly  set in the newly created PT_PAX_FLAGS.  The secure way is to disable EMUTRAMP first and if PaX reports
       stack execution attempts from nested function trampolines then enable it.

       Note that the new PT_PAX_FLAGS is created in the same state that binutils/ld itself would produce (equivalent to -zex).

       Note that if you use both PT_PAX_FLAGS and the extended attribute PaX flags on a binary then they must be exactly the same (except for RAN-
       DEXEC).

       Note that RANDEXEC is no longer supported by PaX kernels since 2.6.13, the paxctl flags are simply ignored there.

       Note that paxctl does not make backup copies of the files it modifies.

       Note  that  paxctl  is meant to work on the native architecture's binaries only, however it should work on foreign binaries as long as they
       have the same endianess as the native architecture (e.g., an i386 paxctl should work on amd64 or little-endian arm but  not  on	big-endian
       mips binaries).

AUTHOR

       Written by The PaX Team <pageexec@freemail.hu>

       This manpage was adapted from the chpax manpage written by Martin F. Krafft <madduck@debian.org> for the Debian GNU/Linux Distribution, but
       may be used by others.

SEE ALSO

       chpax(1), gradm(8)

       PaX website: http://pax.grsecurity.net

       GrSecurity website: http://www.grsecurity.net

       Hardened Gentoo website: http://www.gentoo.org/proj/en/hardened

paxctl Manual							    2012-02-19								 paxctl(1)

Check Out this Related Man Page

SETARCH(8)						       System Administration							SETARCH(8)

NAME

       setarch - change reported architecture in new program environment and set personality flags

SYNOPSIS

       setarch arch [options] [program [argument...]]

       arch [options] [program [argument...]]

       setarch --list|-h|-V

DESCRIPTION

       setarch currently only affects the output of uname -m.  For example, on an AMD64 system, running setarch i386 program will cause program to
       see i686 instead of x86_64 as the machine type.	It also allows to set various personality options.  The default program is /bin/sh.

OPTIONS

       --list List the architectures that setarch knows about.	Whether setarch can actually set each of these architectures depends on  the  run-
	      ning kernel.

       --uname-2.6
	      Causes the program to see a kernel version number beginning with 2.6.  Turns on UNAME26.

       -v, --verbose
	      Be verbose.

       -3, --3gb
	      Specifies program should use a maximum of 3GB of address space.  Supported on x86.  Turns on ADDR_LIMIT_3GB.

       --4gb  This option has no effect.  It is retained for backward compatibility only, and may be removed in future releases.

       -B, --32bit
	      Limit the address space to 32 bits to emulate hardware.  Supported on ARM and Alpha.  Turns on ADDR_LIMIT_32BIT.

       -F, --fdpic-funcptrs
	      Treat  user-space  function  pointers to signal handlers as pointers to address descriptors.  This option has no effect on architec-
	      tures that do not support FDPIC ELF binaries.  In kernel v4.14 support is limited to ARM, Blackfin, Fujitsu  FR-V,  and  SuperH  CPU
	      architectures.

       -I, --short-inode
	      Obsolete bug emulation flag.  Turns on SHORT_INODE.

       -L, --addr-compat-layout
	      Provide legacy virtual address space layout.  Use when the program binary does not have PT_GNU_STACK ELF header.	Turns on ADDR_COM-
	      PAT_LAYOUT.

       -R, --addr-no-randomize
	      Disables randomization of the virtual address space.  Turns on ADDR_NO_RANDOMIZE.

       -S, --whole-seconds
	      Obsolete bug emulation flag.  Turns on WHOLE_SECONDS.

       -T, --sticky-timeouts
	      This makes select(2), pselect(2), and ppoll(2) system calls preserve the timeout value instead of modifying it to reflect the amount
	      of  time not slept when interrupted by a signal handler.	Use when program depends on this behavior.  For more details see the time-
	      out description in select(2) manual page.  Turns on STICKY_TIMEOUTS.

       -X, --read-implies-exec
	      If this is set then mmap(3) PROT_READ will also add the PROT_EXEC bit - as expected by legacy x86 binaries.   Notice  that  the  ELF
	      loader will automatically set this bit when it encounters a legacy binary.  Turns on READ_IMPLIES_EXEC.

       -Z, --mmap-page-zero
	      SVr4  bug emulation that will set mmap(3) page zero as read-only.  Use when program depends on this behavior, and the source code is
	      not available to be fixed.  Turns on MMAP_PAGE_ZERO.

       -V, --version
	      Display version information and exit.

       -h, --help
	      Display help text and exit.

EXAMPLES

       setarch ppc32 rpmbuild --target=ppc --rebuild foo.src.rpm
       setarch ppc32 -v -vL3 rpmbuild --target=ppc --rebuild bar.src.rpm
       setarch ppc32 --32bit rpmbuild --target=ppc --rebuild foo.src.rpm

AUTHOR

       Elliot Lee <sopwith@redhat.com>
       Jindrich Novy <jnovy@redhat.com>

SEE ALSO

       personality(2), select(2)

AVAILABILITY

       The setarch command is part of the util-linux package and is available from Linux  Kernel  Archive  <https://www.kernel.org/pub/linux/utils
       /util-linux/>.

util-linux							   December 2017							SETARCH(8)
Man Page