# paxctl(1) - man - phpMan

[paxctl(1)](https://www.chedong.com/phpMan.php/man/paxctl/1/markdown)                                        PaX                                       [paxctl(1)](https://www.chedong.com/phpMan.php/man/paxctl/1/markdown)



## NAME
       **paxctl** - user-space utility to control PaX flags

## SYNTAX
       **paxctl** <flags> <files>

## DESCRIPTION
       **paxctl**  is a tool that allows PaX flags to be modified on a per-binary basis.  PaX is part of
       common security-enhancing kernel patches and secure distributions,  such  as  GrSecurity  and
       Hardened  Gentoo,  respectively.  Your system needs to be running a properly patched and con‐
       figured kernel for this program to have any effect.

### -P

### -p

### -E

### -e

### -M

### -m

### -R

### -r

### -X

### -x

### -S

### -s

### -v

### -z

### -c
              PT_GNU_STACK program header if it exists

### -C
              header, if it is possible

### -q

### -Q

## CAVEATS
       The old PaX flag location and control method have been obsoleted, if your kernel and binaries
       use  it you have to use [chpax(1)](https://www.chedong.com/phpMan.php/man/chpax/1/markdown) instead (it is recommended to use PT_PAX_FLAGS along with -c
       or -C however).

       Converting PT_GNU_STACK into PT_PAX_FLAGS means that the information in  the  former  is  de‐
       stroyed, in particular you must make sure that the EMUTRAMP PaX option is properly set in the
       newly created PT_PAX_FLAGS.  The secure way is to disable EMUTRAMP first and if  PaX  reports
       stack execution attempts from nested function trampolines then enable it.

       Note  that  the  new  PT_PAX_FLAGS is created in the same state that binutils/ld itself would
       produce (equivalent to -zex).

       Note that if you use both PT_PAX_FLAGS and the extended attribute PaX flags on a binary  then
       they must be exactly the same (except for RANDEXEC).

       Note  that  RANDEXEC is no longer supported by PaX kernels since 2.6.13, the paxctl flags are
       simply ignored there.

       Note that paxctl does not make backup copies of the files it modifies.

       Note that paxctl is meant to work on the native  architecture's  binaries  only,  however  it
       should  work on foreign binaries as long as they have the same endianess as the native archi‐
       tecture (e.g., an i386 paxctl should work on amd64 or little-endian arm but not on big-endian
       mips binaries).

## AUTHOR
       Written by The PaX Team <<pageexec@freemail.hu>>

       This  manpage  was  adapted  from  the chpax manpage written by Martin F. Krafft <madduck@de‐
       bian.org> for the Debian GNU/Linux Distribution, but may be used by others.

## SEE ALSO
       [**chpax**(1)](https://www.chedong.com/phpMan.php/man/chpax/1/markdown), [**gradm**(8)](https://www.chedong.com/phpMan.php/man/gradm/8/markdown)

       PaX website: <http://pax.grsecurity.net>

       GrSecurity website: <http://www.grsecurity.net>

       Hardened Gentoo website: <http://www.gentoo.org/proj/en/hardened>



paxctl Manual                                2012-02-19                                    [paxctl(1)](https://www.chedong.com/phpMan.php/man/paxctl/1/markdown)