Grsecurity/Additional Utilities
This page will introduce you to some additional utilities. They are not required to use a grsecurity-enabled system, but are very useful and thus recommended.
Controlling PaX Flags (paxctl)
editPaxctl is a user-space utility for controlling PaX flags of executables (see Appendix/PaX Flags for a list of these flags).
Installation
editDownload the latest version from the PaX website at http://pax.grsecurity.net/. In our case we downloaded paxctl-0.7.tar.bz2. Paxctl packages are not signed. Change into the directory you downloaded the package to and run the below commands.
$ tar xjf paxctl-0.7.tar.bz2 $ cd paxctl-0.7 $ make $ su # make install
The installation process does the following:
- Installs the paxctl program to /sbin.
- Installs paxctl's man pages to /usr/share/man/man1.
If you need to change either of these locations, modify the Makefile.
Usage
editTo display all available command-line switches, run paxctl --help. Read the man page for more detailed information.
# paxctl --help PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> usage: paxctl <options> <files> options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRAMP -E: enable EMUTRAMP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC -v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)
Examples
editLets query what, if any, PaX flags have been enabled for /usr/bin/vi:
# paxctl -v /usr/bin/vi PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> file /usr/bin/vi does not have a PT_PAX_FLAGS program header, try conversion
As you can see, paxctl could not display the flags because vi does not have the appropriate program header. We need to convert the header and query the flags again.
Note that paxctl does not make backup copies of the files it modifies. It is recommended that you make backups of the binaries you want to modify. |
# paxctl -c /usr/bin/vi file /usr/bin/vi had a PT_GNU_STACK program header, converted # paxctl -v /usr/bin/vi PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: -------x-e-- [/usr/bin/vi] RANDEXEC is disabled EMUTRAMP is disabled
With the appropriate program header in place, we can query and modify the PaX flags of vi.
Displaying Program Capabilities (pspax)
editThe pspax program displays the run-time capabilities of all programs you have permission for. It is part of the pax-utils package. Pax-utils can be found at http://dev.gentoo.org/~vapier/dist/. It contains many useful tools for PaX but is not as critical as paxctl. The pax-utils package is maintained by the Hardened Gentoo Project.
Programs that the pax-utils package provides:
- pspax - Displays the run-time capabilities of all programs you have permission for.
- scanelf - Prints out information specific to the ELF structure of a binary.
- dumpelf - Converts a ELF file into human readable C code that defines a structure with the same image as the original ELF file.
For more information, see the Gentoo Linux guide to pax-utils.
Installation
editGentoo Linux and Debian GNU/Linux users (and possibly others) can install the pax-utils package the same way they install any other application in their system. Below are instructions on how to compile and install it from the source.
Download the latest version from http://dev.gentoo.org/~vapier/dist/. In our case we downloaded pax-utils-0.4.tar.xz, the latest stable release at the time of writing. Change into the directory you downloaded the package to and run the below commands.
$ tar xJf pax-utils-0.4.tar.xz $ cd pax-utils-0.4 $ make $ su # make install
The installation process does the following:
- Installs the pspax, scanelf, dumpelf and scanmacho programs to /usr/bin.
- Installs README, BUGS, and TODO files to /usr/share/doc/pax-utils/.
- Installs man pages of pspax, scanelf and dumpelf to /usr/share/man/man1.
If you need to change any of these locations, modify the Makefile.
Usage
editTo display all available command-line switches, run pspax --help. Read the man page for more detailed information.
$ pspax --help * List ELF/PaX information about running processes Usage: pspax [options] Options: -a, --all * Show all processes -e, --header * Print GNU_STACK/PT_LOAD markings -i, --ipaddr * Print ipaddr info if supported -p, --pid * Process ID/pid # -u, --user * Process user/uid # -g, --group * Process group/gid # -n, --nx * Only display w^x processes -w, --wx * Only display w|x processes -W, --wide * Wide output display of cmdline -v, --verbose * Be verbose about executable mappings -C, --nocolor * Don't emit color in output -B, --nobanner * Don't display the header -h, --help * Print this help and exit -V, --version * Print version and exit
Pspax shows the PaX flags of a single program as a string of characters (e.g. "peMRS"). Lowercase character means the flag is disabled, uppercase means it is enabled. Below is a table that shows these characters and their corresponding PaX flags used by grsecurity. The "Details" column contains a link to a detailed explanation of each flag.
pspax flag | grsecurity's PaX flag | Details |
---|---|---|
E | PAX_EMUTRAMP | emutramp.txt |
M | PAX_MPROTECT | mprotect.txt |
P | PAX_PAGEEXEC | pageexec.txt |
R | PAX_RANDMMAP | randmmap.txt |
S | PAX_SEGMEXEC | segmexec.txt |
Examples
editThe command pspax -p <process_id> displays information about a specific process, identified by its PID. It is unlikely that you happen to know or remember the PID of a process, so it is easier to refer to them by name. The below example uses the pidof command to find the PID of a process which it then passes on to pspax:
# pidof inetd | xargs pspax -p USER PID PAX MAPS ETYPE NAME CAPS_ATTR root 1741 peMRS w^x ET_EXEC inetd =ep cap_setpcap-ep
Managing the Executable Stack of Binaries (execstack)
editExecstack is a tool to set, clear or query executable stack flag of ELF binaries and shared libraries. It is part of the prelink program, but your Linux distribution may provide it as a separate package.
Installation
editYou are very likely to find the prelink and/or execstack packages using your distribution's package management system. At least Gentoo, Debian, Red Hat and distributions based on them provide a prelink and/or execstack packages.
Usage
editTo display all available command-line switches, run execstack --help. Read the man page for more detailed information. Online version of the man page can be found at http://linux.die.net/man/8/execstack.
# execstack --help Usage: execstack [OPTION...] execstack -- program to query or set executable stack flag -c, --clear-execstack Clear executable stack flag bit -q, --query Query executable stack flag bit -s, --set-execstack Set executable stack flag bit -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Report bugs to <jakub@redhat.com>.
Examples
editTo check if a library has executable stack enabled, run:
# execstack -q /usr/lib/libcrypto.so.0.9.8 - /usr/lib/libcrypto.so.0.9.8
The dash means libcrypto does not require an executable stack. If it did, the line would start with a capital "X" instead of a dash.
To query the status of all libraries in your system, run:
# find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack