NAME

paxctl - list and modify PaX flags associated with an ELF program

SYNOPSIS

paxctl flags program ...

DESCRIPTION

The paxctl utility is used to list and manipulate PaX flags associated with an ELF program.

Each flag can be prefixed either with a ``+'' or a ``-'' sign to add or remove the flag, respectively.

The following flags are available:

a
Explicitly disable PaX ASLR for program.

A
Explicitly enable PaX ASLR for program.

g
Explicitly disable PaX Segvguard for program.

G
Explicitly enable PaX Segvguard for program.

m
Explicitly disable PaX MPROTECT (mprotect(2) restrictions) for program.

M
Explicitly enable PaX MPROTECT restrictions (mprotect(2)) for program.

To view existing flags on a file, execute paxctl without any flags.

SEE ALSO

sysctl(3), options(4), security(8), sysctl(8)

HISTORY

The paxctl utility first appeared in NetBSD4.0.

The paxctl utility is modeled after a tool of the same name available for Linux from the PaX project.

AUTHORS

Elad Efrat <elad@NetBSD.org>
Christos Zoulas <christos@NetBSD.org>

BUGS

The paxctl utility currently uses elf(5) ``note'' sections to mark executables as PaX Segvguard enabled. This will be done using fileassoc(9) in the future so that we can control who does the marking and not altering the binary file signature.