I am Linux PaX user and therefore to debug any binary I need to disable protection flags (per binary) using paxctl command.
PaX gives user protection against buffer overflow attacks and such by randomization, but it also prohibits meaningfull debugging.
I could do this manually, however I’d have to repeat it after every rebuild.
I was thinking about these 4 options:
- Disabling PaX temporarily using /proc/sys/kernel/pax/softmode
- Having Eclipse run some kind of batch file after build (or modifying default makefile)
- Removing a bit of PaX from kernel to preserve adress space (as Gentoo docs suggests)
- Making Eclipse CDT debugger (gdb) use hardware breakpoints (hbreak) instead of normal ones (break)
2) seems a way to go here (w/o sacrificing security or performance).
Is there any way to execute scripts/batch_files after (re)build?
And there is another problem, even if I somehow manage to run script that does disable protections, how do I make it secure so it could not be used by someone else?
I was thinking about having ide run under “eclipse” user which would be in appropriate group to execute paxctl or something like that.
Thank you in advance for any tips.
Have you considered disabling PaX for you executable/library only ? You could do so by adding in
Project Properties > Build > Settings > Build Steps > Post-build Steps: