Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

paxctl(1) [debian man page]

paxctl(1)								PaX								 paxctl(1)

NAME

       paxctl - user-space utility to control PaX flags

SYNTAX

       paxctl <flags> <files>

DESCRIPTION

       paxctl  is  a tool that allows PaX flags to be modified on a per-binary basis.  PaX is part of common security-enhancing kernel patches and
       secure distributions, such as GrSecurity and Hardened Gentoo, respectively.  Your system needs to be running a properly patched and config-
       ured kernel for this program to have any effect.

       -P     enforce paging based non-executable pages (PAGEEXEC)

       -p     do not enforce paging based non-executable pages (NOPAGEEXEC)

       -E     emulate trampolines (EMUTRAMP)

       -e     do not emulate trampolines (NOEMUTRAMP)

       -M     enforce secure memory protections (MPROTECT)

       -m     do not enforce secure memory protections (NOMPROTECT)

       -R     randomize memory regions (RANDMMAP)

       -r     do not randomize memory regions (NORANDMMAP)

       -X     randomize base address of normal (ET_EXEC) executables (RANDEXEC)

       -x     do not randomize base address of normal (ET_EXEC) executables (NORANDEXEC)

       -S     enforce segmentation based non-executable pages (SEGMEXEC)

       -s     do not enforce segmentation based non-executable pages (NOSEGMEXEC)

       -v     view flags

       -z     reset all flags (further flags still apply)

       -c     create the PT_PAX_FLAGS program header if it does not exist by converting the PT_GNU_STACK program header if it exists

       -C     create the PT_PAX_FLAGS program header if it does not exist by adding a new program header, if it is possible

       -q     suppress error messages

       -Q     report flags in short format

CAVEATS

       The  old  PaX flag location and control method have been obsoleted, if your kernel and binaries use it you have to use chpax(1) instead (it
       is recommended to use PT_PAX_FLAGS along with -c or -C however).

       Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in the former is destroyed, in particular you must make sure that  the
       EMUTRAMP  PaX  option  is  properly  set in the newly created PT_PAX_FLAGS.  The secure way is to disable EMUTRAMP first and if PaX reports
       stack execution attempts from nested function trampolines then enable it.

       Note that the new PT_PAX_FLAGS is created in the same state that binutils/ld itself would produce (equivalent to -zex).

       Note that if you use both PT_PAX_FLAGS and the extended attribute PaX flags on a binary then they must be exactly the same (except for RAN-
       DEXEC).

       Note that RANDEXEC is no longer supported by PaX kernels since 2.6.13, the paxctl flags are simply ignored there.

       Note that paxctl does not make backup copies of the files it modifies.

       Note  that  paxctl  is meant to work on the native architecture's binaries only, however it should work on foreign binaries as long as they
       have the same endianess as the native architecture (e.g., an i386 paxctl should work on amd64 or little-endian arm but  not  on	big-endian
       mips binaries).

AUTHOR

       Written by The PaX Team <pageexec@freemail.hu>

       This manpage was adapted from the chpax manpage written by Martin F. Krafft <madduck@debian.org> for the Debian GNU/Linux Distribution, but
       may be used by others.

SEE ALSO

       chpax(1), gradm(8)

       PaX website: http://pax.grsecurity.net

       GrSecurity website: http://www.grsecurity.net

       Hardened Gentoo website: http://www.gentoo.org/proj/en/hardened

paxctl Manual							    2012-02-19								 paxctl(1)

Check Out this Related Man Page

AOUT(4) 						   BSD Kernel Interfaces Manual 						   AOUT(4)

NAME

     aout -- kernel support for executing binary files in legacy a.out format

SYNOPSIS

	   kldload a.out

DESCRIPTION

     The a.out(5) executable format was used before the release of FreeBSD 3.0.  Since i386 was the only supported architecture at that time,
     a.out(5) executables can only be activated on platforms that support execution of i386 code, such as i386 and amd64.

     To add kernel support for old syscalls and old syscall invocation methods, place the following options in the kernel configuration file:

	   options COMPAT_43
	   options COMPAT_FREEBSD32

     The COMPAT_FREEBSD32 option is only required on 64-bit CPU architectures.

     The aout.ko module needs to be loaded with the kldload(8) utility in order to support the a.out(5) image activator:

	   kldload aout

     Alternatively, to load the module at boot time, place the following line in loader.conf(5):

	   aout_load="YES"

     The a.out(5) format was mainstream quite a long time ago.	Reasonable default settings and security requirements of modern operating systems
     today contradict the default environment of that time and require adjustments of the system to mimic natural environment for old binaries.

     The following sysctl(8) tunables are useful for this:

	   security.bsd.map_at_zero   Set to 1 to allow mapping of process pages at address 0.	Some very old ZMAGIC executable images require
				      text mapping at address 0.

	   kern.pid_max 	      Old versions of FreeBSD used signed 16-bit type for pid_t.  Current kernels use 32-bit type for pid_t, and
				      allow process id's up to 99999.  Such values cannot be represented by old pid_t, mostly causing issues for
				      processes using wait(2) syscalls, for example shells.  Set the sysctl to 30000 to work around the problem.

	   kern.elf32.read_exec       Set to 1 to force any accessible memory mapping performed by 32-bit process to allow execution, see mmap(2).
				      Old i386 CPUs did not have a bit in PTE which disallowed execution from the page, so many old programs did
				      not specify PROT_EXEC even for mapping of executable code.  The sysctl forces PROT_EXEC if mapping has any
				      access allowed at all.  The setting is only needed if the host architecture allows non-executable mappings.

SEE ALSO

     execve(2), a.out(5), elf(5), sysctl(8)

HISTORY

     The a.out(5) executable format was used on ancient AT&T UNIX and served as the main executable format for FreeBSD from the beginning up to
     FreeBSD 2.2.9.  In FreeBSD 3.0 it was superseded by elf(5).

AUTHORS

     The aout manual page was written by Konstantin Belousov <kib@FreeBSD.org>.

BUGS

     On 64bit architectures, not all wrappers for older syscalls are implemented.

BSD
								  August 14, 2012							       BSD
Man Page