Man Linux: Main Page and Category List

NAME

       paxctl - user-space utility to control PaX flags

SYNTAX

       paxctl <flags> <files>

DESCRIPTION

       paxctl  is  a tool that allows PaX flags to be modified on a per-binary
       basis.  PaX is part of common  security-enhancing  kernel  patches  and
       secure  distributions,  such  as  GrSecurity  or Adamantix and Hardened
       Gentoo, respectively.  Your system  needs  to  be  running  a  properly
       patched and configured kernel for this program to have any effect.

       -P     enforce paging based non-executable pages (PAGEEXEC)

       -p     do not enforce paging based non-executable pages (NOPAGEEXEC)

       -E     emulate trampolines (EMUTRAMP)

       -e     do not emulate trampolines (NOEMUTRAMP)

       -M     enforce secure memory protections (MPROTECT)

       -m     do not enforce secure memory protections (NOMPROTECT)

       -R     randomize memory regions (RANDMMAP)

       -r     do not randomize memory regions (NORANDMMAP)

       -X     randomize   base   address   of   normal  (ET_EXEC)  executables
              (RANDEXEC)

       -x     do not randomize base address of  normal  (ET_EXEC)  executables
              (NORANDEXEC)

       -S     enforce segmentation based non-executable pages (SEGMEXEC)

       -s     do   not   enforce   segmentation   based  non-executable  pages
              (NOSEGMEXEC)

       -v     view flags

       -z     restore default flags (further flags still apply)

       -c     create the PT_PAX_FLAGS program header if it does not  exist  by
              converting the PT_GNU_STACK program header if it exists

       -C     create  the  PT_PAX_FLAGS program header if it does not exist by
              adding a new program header, if it is possible

       -q     suppress error messages

       -Q     report flags in short format

CAVEATS

       The old PaX flag location and control method have  been  obsoleted,  if
       your kernel and binaries use it you have to use chpax(1) instead (it is
       recommended to use PT_PAX_FLAGS along with -c or -C however).

       Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in
       the  former  is  destroyed,  in  particular you must make sure that the
       EMUTRAMP PaX option is properly set in the newly created  PT_PAX_FLAGS.

       The  secure  way  is to disable EMUTRAMP first and if PaX reports stack
       execution attempts from nested function trampolines then enable it.

       Note that the new PT_PAX_FLAGS  is  created  in  the  same  state  that
       binutils/ld itself would produce (equivalent to -zex).

       Note  that paxctl does not make backup copies of the files it modifies.

AUTHOR

       Written by The PaX Team <pageexec@freemail.hu>

       This manpage was adapted from the chpax manpage written  by  Martin  F.
       Krafft  <madduck@debian.org> for the Debian GNU/Linux Distribution, but
       may be used by others.

SEE ALSO

       chpax(1), gradm(8)

       PaX website: http://pax.grsecurity.net

       GrSecurity website: http://www.grsecurity.net

       Adamantix website: http://adamantix.org

       Hardened Gentoo website: http://www.gentoo.org/proj/en/hardened