Grsecurity/Additional Utilities

Grsecurity
The Administration Utility Additional Utilities Runtime Configuration


This page will introduce you to some additional utilities. They are not required to use a grsecurity-enabled system, but are very useful and thus recommended.

Controlling PaX Flags (paxctl)

edit

Paxctl is a user-space utility for controlling PaX flags of executables (see Appendix/PaX Flags for a list of these flags).

Installation

edit

Download the latest version from the PaX website at http://pax.grsecurity.net/. In our case we downloaded paxctl-0.7.tar.bz2. Paxctl packages are not signed. Change into the directory you downloaded the package to and run the below commands.

$ tar xjf paxctl-0.7.tar.bz2
$ cd paxctl-0.7
$ make
$ su
# make install

The installation process does the following:

  • Installs the paxctl program to /sbin.
  • Installs paxctl's man pages to /usr/share/man/man1.

If you need to change either of these locations, modify the Makefile.

Usage

edit

To display all available command-line switches, run paxctl --help. Read the man page for more detailed information.

# paxctl --help
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
        -p: disable PAGEEXEC            -P: enable PAGEEXEC
        -e: disable EMUTRAMP            -E: enable EMUTRAMP
        -m: disable MPROTECT            -M: enable MPROTECT
        -r: disable RANDMMAP            -R: enable RANDMMAP
        -x: disable RANDEXEC            -X: enable RANDEXEC
        -s: disable SEGMEXEC            -S: enable SEGMEXEC

        -v: view flags                  -z: restore default flags
        -q: suppress error messages     -Q: report flags in short format
        -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
        -C: create PT_PAX_FLAGS (see manpage!)

Examples

edit

Lets query what, if any, PaX flags have been enabled for /usr/bin/vi:

# paxctl -v /usr/bin/vi
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/vi does not have a PT_PAX_FLAGS program header, try conversion

As you can see, paxctl could not display the flags because vi does not have the appropriate program header. We need to convert the header and query the flags again.

  Note that paxctl does not make backup copies of the files it modifies. It is recommended that you make backups of the binaries you want to modify.
# paxctl -c /usr/bin/vi
file /usr/bin/vi had a PT_GNU_STACK program header, converted

# paxctl -v /usr/bin/vi
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/bin/vi]
        RANDEXEC is disabled
        EMUTRAMP is disabled

With the appropriate program header in place, we can query and modify the PaX flags of vi.

Displaying Program Capabilities (pspax)

edit

The pspax program displays the run-time capabilities of all programs you have permission for. It is part of the pax-utils package. Pax-utils can be found at http://dev.gentoo.org/~vapier/dist/. It contains many useful tools for PaX but is not as critical as paxctl. The pax-utils package is maintained by the Hardened Gentoo Project.

Programs that the pax-utils package provides:

  • pspax - Displays the run-time capabilities of all programs you have permission for.
  • scanelf - Prints out information specific to the ELF structure of a binary.
  • dumpelf - Converts a ELF file into human readable C code that defines a structure with the same image as the original ELF file.

For more information, see the Gentoo Linux guide to pax-utils.

Installation

edit

Gentoo Linux and Debian GNU/Linux users (and possibly others) can install the pax-utils package the same way they install any other application in their system. Below are instructions on how to compile and install it from the source.

Download the latest version from http://dev.gentoo.org/~vapier/dist/. In our case we downloaded pax-utils-0.4.tar.xz, the latest stable release at the time of writing. Change into the directory you downloaded the package to and run the below commands.

$ tar xJf pax-utils-0.4.tar.xz
$ cd pax-utils-0.4
$ make
$ su
# make install

The installation process does the following:

  • Installs the pspax, scanelf, dumpelf and scanmacho programs to /usr/bin.
  • Installs README, BUGS, and TODO files to /usr/share/doc/pax-utils/.
  • Installs man pages of pspax, scanelf and dumpelf to /usr/share/man/man1.

If you need to change any of these locations, modify the Makefile.

Usage

edit

To display all available command-line switches, run pspax --help. Read the man page for more detailed information.

$ pspax --help
* List ELF/PaX information about running processes

Usage: pspax [options]

Options:
  -a, --all         * Show all processes
  -e, --header      * Print GNU_STACK/PT_LOAD markings
  -i, --ipaddr      * Print ipaddr info if supported
  -p, --pid         * Process ID/pid #
  -u, --user        * Process user/uid #
  -g, --group       * Process group/gid #
  -n, --nx          * Only display w^x processes
  -w, --wx          * Only display w|x processes
  -W, --wide        * Wide output display of cmdline
  -v, --verbose     * Be verbose about executable mappings
  -C, --nocolor     * Don't emit color in output
  -B, --nobanner    * Don't display the header
  -h, --help        * Print this help and exit
  -V, --version     * Print version and exit

Pspax shows the PaX flags of a single program as a string of characters (e.g. "peMRS"). Lowercase character means the flag is disabled, uppercase means it is enabled. Below is a table that shows these characters and their corresponding PaX flags used by grsecurity. The "Details" column contains a link to a detailed explanation of each flag.

pspax flag grsecurity's PaX flag Details
E PAX_EMUTRAMP emutramp.txt
M PAX_MPROTECT mprotect.txt
P PAX_PAGEEXEC pageexec.txt
R PAX_RANDMMAP randmmap.txt
S PAX_SEGMEXEC segmexec.txt

Examples

edit

The command pspax -p <process_id> displays information about a specific process, identified by its PID. It is unlikely that you happen to know or remember the PID of a process, so it is easier to refer to them by name. The below example uses the pidof command to find the PID of a process which it then passes on to pspax:

# pidof inetd | xargs pspax -p
USER     PID    PAX    MAPS ETYPE      NAME             CAPS_ATTR
root     1741   peMRS  w^x  ET_EXEC    inetd            =ep cap_setpcap-ep

Managing the Executable Stack of Binaries (execstack)

edit

Execstack is a tool to set, clear or query executable stack flag of ELF binaries and shared libraries. It is part of the prelink program, but your Linux distribution may provide it as a separate package.

Installation

edit

You are very likely to find the prelink and/or execstack packages using your distribution's package management system. At least Gentoo, Debian, Red Hat and distributions based on them provide a prelink and/or execstack packages.

Usage

edit

To display all available command-line switches, run execstack --help. Read the man page for more detailed information. Online version of the man page can be found at http://linux.die.net/man/8/execstack.

# execstack --help
Usage: execstack [OPTION...]
execstack -- program to query or set executable stack flag

  -c, --clear-execstack      Clear executable stack flag bit
  -q, --query                Query executable stack flag bit
  -s, --set-execstack        Set executable stack flag bit
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Report bugs to <jakub@redhat.com>.

Examples

edit

To check if a library has executable stack enabled, run:

# execstack -q /usr/lib/libcrypto.so.0.9.8
- /usr/lib/libcrypto.so.0.9.8

The dash means libcrypto does not require an executable stack. If it did, the line would start with a capital "X" instead of a dash.

To query the status of all libraries in your system, run:

# find /lib /usr/lib -name '*.so.*.*.*' | xargs execstack
Next Page: Runtime Configuration | Previous Page: The Administration Utility
Home: Grsecurity