#!/bin/bash [ "$UID" = "0" ] || { sudo $0 exit $! } function homedir() { egrep ^$1 /etc/passwd | cut -d: -f 6 } declare -A perms perms=( # RANDMMAP off ['cPSMXEr']=' /usr/bin/grub-script-check ' # MPROTECT and RANDMMAP off ['cPSmXEr']=' /usr/bin/elinks /usr/bin/pyrogenesis /usr/lib/iceweasel/iceweasel /usr/lib/iceweasel/plugin-container /usr/lib/icecat/icecat /usr/lib/icecat/plugin-container /usr/lib/polkit-1/polkitd /usr/lib/icedove/icedove ' # SEGMEXEC and MPROTECT off # (RANDEXEC is not activatable for qemu. The binaries seem to be compiled # with PIE enabled, though.) ['cPsmxER']=' /usr/bin/qemu-alpha /usr/bin/qemu-arm /usr/bin/qemu-armeb /usr/bin/qemu-cris /usr/bin/qemu-i386 /usr/bin/qemu-m68k /usr/bin/qemu-microblaze /usr/bin/qemu-microblazeel /usr/bin/qemu-mips /usr/bin/qemu-mipsel /usr/bin/qemu-ppc /usr/bin/qemu-ppc64 /usr/bin/qemu-ppc64abi32 /usr/bin/qemu-s390x /usr/bin/qemu-sh4 /usr/bin/qemu-sh4eb /usr/bin/qemu-sparc /usr/bin/qemu-sparc32plus /usr/bin/qemu-sparc64 /usr/bin/qemu-unicore32 /usr/bin/qemu-x86_64 ' # MPROTECT off ['cPSmXER']=" /usr/bin/blender /usr/bin/clamscan /usr/bin/freshclam /usr/bin/glxdemo /usr/bin/glxgears /usr/bin/glxinfo /usr/bin/kdeinit4 /usr/bin/kdenlive /usr/bin/kmail /usr/bin/kwin /usr/bin/liferea /usr/bin/mono /usr/bin/mplayer /usr/bin/okular /usr/bin/qemu-system-alpha /usr/bin/qemu-system-arm /usr/bin/qemu-system-cris /usr/bin/qemu-system-i386 /usr/bin/qemu-system-lm32 /usr/bin/qemu-system-m68k /usr/bin/qemu-system-microblaze /usr/bin/qemu-system-microblazeel /usr/bin/qemu-system-mips /usr/bin/qemu-system-mips64 /usr/bin/qemu-system-mips64el /usr/bin/qemu-system-mipsel /usr/bin/qemu-system-ppc /usr/bin/qemu-system-ppc64 /usr/bin/qemu-system-ppcemb /usr/bin/qemu-system-s390x /usr/bin/qemu-system-sh4 /usr/bin/qemu-system-sh4eb /usr/bin/qemu-system-sparc /usr/bin/qemu-system-sparc64 /usr/bin/qemu-system-x86_64 /usr/bin/qemu-system-xtensa /usr/bin/qemu-system-xtensaeb /usr/bin/ruby /usr/bin/systemsettings /usr/bin/tcc /usr/bin/valgrind /usr/lib/erlang/erts-*/bin/beam /usr/lib/erlang/erts-*/bin/beam.smp /usr/lib/ghc-*/ghc /usr/lib/valgrind/cachegrind-amd64-linux /usr/lib/valgrind/cachegrind-x86-linux /usr/lib/valgrind/callgrind-amd64-linux /usr/lib/valgrind/callgrind-x86-linux /usr/lib/valgrind/drd-amd64-linux /usr/lib/valgrind/drd-x86-linux /usr/lib/valgrind/exp-bbv-amd64-linux /usr/lib/valgrind/exp-bbv-x86-linux /usr/lib/valgrind/exp-dhat-amd64-linux /usr/lib/valgrind/exp-dhat-x86-linux /usr/lib/valgrind/exp-sgcheck-amd64-linux /usr/lib/valgrind/exp-sgcheck-x86-linux /usr/lib/valgrind/helgrind-amd64-linux /usr/lib/valgrind/helgrind-x86-linux /usr/lib/valgrind/lackey-amd64-linux /usr/lib/valgrind/lackey-x86-linux /usr/lib/valgrind/massif-amd64-linux /usr/lib/valgrind/massif-x86-linux /usr/lib/valgrind/memcheck-amd64-linux /usr/lib/valgrind/memcheck-x86-linux /usr/lib/valgrind/none-amd64-linux /usr/lib/valgrind/none-x86-linux /usr/lib/xbmc/xbmc.bin /usr/sbin/clamd /usr/sbin/grub-probe /usr/sbin/vbetool " # PAGEEXEC, MPROTECT, EMUTRAMP and RANDMMAP off ['cpSmXer']=' /usr/bin/sbcl ' # All off ['cpsmxer']=' /usr/bin/wine /usr/bin/wine-preloader /usr/lib/jvm/java-6-openjdk/bin/java /usr/lib/jvm/java-6-openjdk/bin/javac /usr/lib/jvm/java-6-openjdk/jre/bin/java /usr/lib/jvm/java-7-openjdk/bin/javac /usr/lib/jvm/java-7-openjdk/jre/bin/java ' ) echo Some programs do not work properly without deactivating some of the PaX echo features. Please close all instances of them if you want to change the echo configuration for the following binaries: for perm in ${!perms[@]}; do for path in ${perms[$perm]}; do [ -f $path ] && echo " * $path" done done echo echo Continue writing PaX headers? \[Y/n\] read a case $a in "Y"|"y"|"") for perm in ${!perms[@]}; do for path in ${perms[$perm]}; do [ -f $path ] && { echo $perm $path paxctl -$perm $path } done done ;; *) exit 0 ;; esac