Notice: Undefined variable: name in /srv/http/vhosts/aur-dev.archlinux.org/public/web/lib/pkgfuncs.inc.php on line 248

Package Details: linux-pax-flags 2.0.18-4

Git Clone URL: https://aur-dev.archlinux.org/linux-pax-flags.git (read-only)
Package Base: linux-pax-flags
Description: Deactivates PaX flags for several binaries to work with PaX enabled kernels.
Upstream URL: https://github.com/nning/linux-pax-flags
Keywords: grsecurity linux pax security
Licenses: GPL3
Submitter: phects
Maintainer: phects
Last Packager: phects
Votes: 18
Popularity: 0.000872
First Submitted: 2012-01-12 18:16
Last Updated: 2015-12-15 12:27

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 9 ... Next › Last »

test0 commented on 2013-09-25 23:12

The Steam config should somehow go through all users' home directories and adjust the PaX flags there. I needed to use:

HOME=/home/test0 linux-pax-flags

…to get Steam to work.

test0 commented on 2013-09-25 22:22

Dropbox can be made to work like this:

paxctl -cPemRSX /opt/dropbox/dropbox

test0 commented on 2013-09-25 22:04

Using xattrs throughout would also have the advantage of not tripping off checksum-based security measures like IMA, tripwire etc.

test0 commented on 2013-09-25 22:02

Skype cannot be modified, so I had to set the appropriate xattr like this:

setfattr -n user.pax.flags -v PemRS /usr/lib*/skype/skype

(-X and -x are not honored anymore, anyway.)

Trampoline emulation (-E) is actually unnecessary! I also was able to disable it for the vim line below, which should now read:

paxctl -cPemRSX `which vim`

test0 commented on 2013-09-25 20:16

I had to use

paxctl -cPEmRXS `which vim`

to be able to use vim again, possibly because I have recompiled it with +mzscheme.

Also, if possible, setting flags via extended attributes instead of modifying the content of executables would be welcomed.

echoblack commented on 2013-09-12 03:38

paxctl -cPEmRXS /usr/bin/btsync

phects commented on 2013-05-03 11:20

s1gma:

Thanks for your help and sorry for my lag. I wanted to integrate your changes when I saw, that - at least for now - go binaries come with a PT_PAX_FLAGS header and MPROTECT, RANDEXEC and EMUTRAMP off. For me it seems, there are currently no changes necessary.

It is a little odd, that space indentation does not work in YAML but it is - at least in the YAML specs - desired behaviour. I did a workaround for spaces to work in another project and I will look into it. This would make config editing a little more user-friendly.

Anonymous comment on 2013-03-29 07:15

Hello,

Here is a (partial) config file for the go compiler. Some other binaries might need to be added though:

# MPROTECT off
PSmXER:
- /usr/bin/go
- /usr/lib/go/pkg/tool/linux_amd64/cgo

As a side note, the configuration parsing fails if tabs are replaced by spaces (before the '-' for example):

/usr/share/linux-pax-flags/go.conf: did not find expected key while parsing a block mapping at line 2 column 1

Not sure if it is the desired behavior, as a lot of people religiously replace tabs by spaces :-)

Cheers.

echoblack commented on 2013-03-24 04:23

phects: Well I use to have a CentOS server. however I found a new VPS host that is KVM based. I now use Archlinux on my VPS, Home server, and laptop. I see now though that binaries being located in different locations on different distros is where all the work would be anyway.

Ya, I filed a bug report on bugs.freedesktop.org about polkitd. They didn't understand what I was saying and closed the but without fixing it. It is major problem. Polkitd has had memory exploits reported. This daemon is also responsible for security settings arg. On the plus side, it dose seem to run as the logged in user.

phects commented on 2013-03-23 18:15

You're right. I made sudo optional. The old behaviour is used, if PAX_FLAGS_SUDO is set.