Grsecurity/Additional Utilities

This page will introduce you to some additional utilities. They are not required to use a grsecurity-enabled system, but are very useful and thus recommended.

Controlling PaX Flags (paxctl)
Paxctl is a user-space utility for controlling PaX flags of executables (see Appendix/PaX Flags for a list of these flags).

Installation
Download the latest version from the PaX website at http://pax.grsecurity.net/. In our case we downloaded paxctl-0.7.tar.bz2. Paxctl packages are not signed. Change into the directory you downloaded the package to and run the below commands.

$ tar xjf paxctl-0.7.tar.bz2 $ cd paxctl-0.7 $ make $ su
 * 1) make install

The installation process does the following:
 * Installs the paxctl program to /sbin.
 * Installs paxctl's man pages to /usr/share/man/man1.

If you need to change either of these locations, modify the Makefile.

Usage
To display all available command-line switches, run paxctl --help. Read the man page for more detailed information.

PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team 
 * 1) paxctl --help

usage: paxctl

options: -p: disable PAGEEXEC           -P: enable PAGEEXEC -e: disable EMUTRAMP           -E: enable EMUTRAMP -m: disable MPROTECT           -M: enable MPROTECT -r: disable RANDMMAP           -R: enable RANDMMAP -x: disable RANDEXEC           -X: enable RANDEXEC -s: disable SEGMEXEC           -S: enable SEGMEXEC

-v: view flags                 -z: restore default flags -q: suppress error messages    -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)

Examples
Lets query what, if any, PaX flags have been enabled for /usr/bin/vi: PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team 
 * 1) paxctl -v /usr/bin/vi

file /usr/bin/vi does not have a PT_PAX_FLAGS program header, try conversion

As you can see, paxctl could not display the flags because <tt>vi</tt> does not have the appropriate program header. We need to convert the header and query the flags again.

file /usr/bin/vi had a PT_GNU_STACK program header, converted
 * 1) paxctl -c /usr/bin/vi

PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>
 * 1) paxctl -v /usr/bin/vi

- PaX flags: ---x-e-- [/usr/bin/vi] RANDEXEC is disabled EMUTRAMP is disabled

With the appropriate program header in place, we can query and modify the PaX flags of <tt>vi</tt>.

Displaying Program Capabilities (pspax)
The <tt>pspax</tt> program displays the run-time capabilities of all programs you have permission for. It is part of the <tt>pax-utils</tt> package. <tt>Pax-utils</tt> can be found at http://dev.gentoo.org/~vapier/dist/. It contains many useful tools for PaX but is not as critical as <tt>paxctl</tt>. The <tt>pax-utils</tt> package is maintained by the Hardened Gentoo Project.

Programs that the pax-utils package provides:
 * <tt>pspax</tt> - Displays the run-time capabilities of all programs you have permission for.
 * <tt>scanelf</tt> - Prints out information specific to the ELF structure of a binary.
 * <tt>dumpelf</tt> - Converts a ELF file into human readable C code that defines a structure with the same image as the original ELF file.

For more information, see the Gentoo Linux guide to pax-utils.

Installation
Gentoo Linux and Debian GNU/Linux users (and possibly others) can install the <tt>pax-utils</tt> package the same way they install any other application in their system. Below are instructions on how to compile and install it from the source.

Download the latest version from http://dev.gentoo.org/~vapier/dist/. In our case we downloaded pax-utils-0.4.tar.xz, the latest stable release at the time of writing. Change into the directory you downloaded the package to and run the below commands. $ tar xJf pax-utils-0.4.tar.xz $ cd pax-utils-0.4 $ make $ su
 * 1) make install

The installation process does the following:
 * Installs the <tt>pspax</tt>, <tt>scanelf</tt>, <tt>dumpelf</tt> and <tt>scanmacho</tt> programs to /usr/bin.
 * Installs README, BUGS, and TODO files to /usr/share/doc/pax-utils/.
 * Installs man pages of <tt>pspax</tt>, <tt>scanelf</tt> and <tt>dumpelf</tt> to /usr/share/man/man1.

If you need to change any of these locations, modify the Makefile.

Usage
To display all available command-line switches, run <tt>pspax --help</tt>. Read the man page for more detailed information.

$ pspax --help
 * List ELF/PaX information about running processes

Usage: pspax [options]

Options: -a, --all        * Show all processes -e, --header     * Print GNU_STACK/PT_LOAD markings -i, --ipaddr     * Print ipaddr info if supported -p, --pid        * Process ID/pid # -u, --user       * Process user/uid # -g, --group      * Process group/gid # -n, --nx         * Only display w^x processes -w, --wx         * Only display w|x processes -W, --wide       * Wide output display of cmdline -v, --verbose    * Be verbose about executable mappings -C, --nocolor    * Don't emit color in output -B, --nobanner   * Don't display the header -h, --help       * Print this help and exit -V, --version    * Print version and exit

<tt>Pspax</tt> shows the PaX flags of a single program as a string of characters (e.g. "peMRS"). Lowercase character means the flag is disabled, uppercase means it is enabled. Below is a table that shows these characters and their corresponding PaX flags used by grsecurity. The "Details" column contains a link to a detailed explanation of each flag.

Examples
The command <tt>pspax -p <process_id></tt> displays information about a specific process, identified by its PID. It is unlikely that you happen to know or remember the PID of a process, so it is easier to refer to them by name. The below example uses the <tt>pidof</tt> command to find the PID of a process which it then passes on to <tt>pspax</tt>:

USER    PID    PAX    MAPS ETYPE      NAME             CAPS_ATTR root    1741   peMRS  w^x  ET_EXEC    inetd            =ep cap_setpcap-ep
 * 1) pidof inetd | xargs pspax -p

Managing the Executable Stack of Binaries (execstack)
<tt>Execstack</tt> is a tool to set, clear or query executable stack flag of ELF binaries and shared libraries. It is part of the <tt>prelink</tt> program, but your Linux distribution may provide it as a separate package.

Installation
You are very likely to find the <tt>prelink</tt> and/or <tt>execstack</tt> packages using your distribution's package management system. At least Gentoo, Debian, Red Hat and distributions based on them provide a <tt>prelink</tt> and/or <tt>execstack</tt> packages.

Usage
To display all available command-line switches, run <tt>execstack --help</tt>. Read the man page for more detailed information. Online version of the man page can be found at http://linux.die.net/man/8/execstack.

Usage: execstack [OPTION...] execstack -- program to query or set executable stack flag
 * 1) execstack --help

-c, --clear-execstack     Clear executable stack flag bit -q, --query               Query executable stack flag bit -s, --set-execstack       Set executable stack flag bit -?, --help                Give this help list --usage               Give a short usage message -V, --version             Print program version

Report bugs to <jakub@redhat.com>.

Examples
To check if a library has executable stack enabled, run: - /usr/lib/libcrypto.so.0.9.8
 * 1) execstack -q /usr/lib/libcrypto.so.0.9.8

The dash means libcrypto does not require an executable stack. If it did, the line would start with a capital "X" instead of a dash.

To query the status of all libraries in your system, run:
 * 1) find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack