Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

paxctl(8) [netbsd man page]

PAXCTL(8)						    BSD System Manager's Manual 						 PAXCTL(8)

NAME
paxctl -- list and modify PaX flags associated with an ELF program SYNOPSIS
paxctl flags program ... DESCRIPTION
The paxctl utility is used to list and manipulate PaX flags associated with an ELF program. The PaX flags signify to the loader the privi- lege protections to be applied to mapped memory pages, and fuller explanations of the specific protections can be found in the security(7) manpage. Each flag can be prefixed either with a ``+'' or a ``-'' sign to add or remove the flag, respectively. The following flags are available: a Explicitly disable PaX ASLR (Address Space Layout Randomization) for program. A Explicitly enable PaX ASLR for program. g Explicitly disable PaX Segvguard for program. G Explicitly enable PaX Segvguard for program. m Explicitly disable PaX MPROTECT (mprotect(2) restrictions) for program. M Explicitly enable PaX MPROTECT (mprotect(2) restrictions) for program. To view existing flags on a file, execute paxctl without any flags. SEE ALSO
mprotect(2), sysctl(3), options(4), elf(5), security(7), sysctl(8), fileassoc(9) HISTORY
The paxctl utility first appeared in NetBSD 4.0. The paxctl utility is modeled after a tool of the same name available for Linux from the PaX project. AUTHORS
Elad Efrat <elad@NetBSD.org> Christos Zoulas <christos@NetBSD.org> BUGS
The paxctl utility currently uses elf(5) ``note'' sections to mark executables as PaX Segvguard enabled. This will be done using fileassoc(9) in the future so that we can control who does the marking and not altering the binary file signature. BSD
September 17, 2009 BSD

Check Out this Related Man Page

paxctl(1)								PaX								 paxctl(1)

NAME
paxctl - user-space utility to control PaX flags SYNTAX
paxctl <flags> <files> DESCRIPTION
paxctl is a tool that allows PaX flags to be modified on a per-binary basis. PaX is part of common security-enhancing kernel patches and secure distributions, such as GrSecurity and Hardened Gentoo, respectively. Your system needs to be running a properly patched and config- ured kernel for this program to have any effect. -P enforce paging based non-executable pages (PAGEEXEC) -p do not enforce paging based non-executable pages (NOPAGEEXEC) -E emulate trampolines (EMUTRAMP) -e do not emulate trampolines (NOEMUTRAMP) -M enforce secure memory protections (MPROTECT) -m do not enforce secure memory protections (NOMPROTECT) -R randomize memory regions (RANDMMAP) -r do not randomize memory regions (NORANDMMAP) -X randomize base address of normal (ET_EXEC) executables (RANDEXEC) -x do not randomize base address of normal (ET_EXEC) executables (NORANDEXEC) -S enforce segmentation based non-executable pages (SEGMEXEC) -s do not enforce segmentation based non-executable pages (NOSEGMEXEC) -v view flags -z reset all flags (further flags still apply) -c create the PT_PAX_FLAGS program header if it does not exist by converting the PT_GNU_STACK program header if it exists -C create the PT_PAX_FLAGS program header if it does not exist by adding a new program header, if it is possible -q suppress error messages -Q report flags in short format CAVEATS
The old PaX flag location and control method have been obsoleted, if your kernel and binaries use it you have to use chpax(1) instead (it is recommended to use PT_PAX_FLAGS along with -c or -C however). Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in the former is destroyed, in particular you must make sure that the EMUTRAMP PaX option is properly set in the newly created PT_PAX_FLAGS. The secure way is to disable EMUTRAMP first and if PaX reports stack execution attempts from nested function trampolines then enable it. Note that the new PT_PAX_FLAGS is created in the same state that binutils/ld itself would produce (equivalent to -zex). Note that if you use both PT_PAX_FLAGS and the extended attribute PaX flags on a binary then they must be exactly the same (except for RAN- DEXEC). Note that RANDEXEC is no longer supported by PaX kernels since 2.6.13, the paxctl flags are simply ignored there. Note that paxctl does not make backup copies of the files it modifies. Note that paxctl is meant to work on the native architecture's binaries only, however it should work on foreign binaries as long as they have the same endianess as the native architecture (e.g., an i386 paxctl should work on amd64 or little-endian arm but not on big-endian mips binaries). AUTHOR
Written by The PaX Team <pageexec@freemail.hu> This manpage was adapted from the chpax manpage written by Martin F. Krafft <madduck@debian.org> for the Debian GNU/Linux Distribution, but may be used by others. SEE ALSO
chpax(1), gradm(8) PaX website: http://pax.grsecurity.net GrSecurity website: http://www.grsecurity.net Hardened Gentoo website: http://www.gentoo.org/proj/en/hardened paxctl Manual 2012-02-19 paxctl(1)
Man Page