{"id":43514244,"url":"https://github.com/subgraph/paxrat","last_synced_at":"2026-02-03T13:30:40.768Z","repository":{"id":34456217,"uuid":"38391858","full_name":"subgraph/paxrat","owner":"subgraph","description":"paxrat is a utility to set PaX flags on a set of binaries. ","archived":false,"fork":false,"pushed_at":"2018-06-27T11:55:52.000Z","size":73,"stargazers_count":34,"open_issues_count":7,"forks_count":9,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-06-19T00:22:47.705Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/subgraph.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-07-01T19:55:35.000Z","updated_at":"2020-01-16T13:57:27.000Z","dependencies_parsed_at":"2022-08-30T05:21:01.639Z","dependency_job_id":null,"html_url":"https://github.com/subgraph/paxrat","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/subgraph/paxrat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Fpaxrat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Fpaxrat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Fpaxrat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Fpaxrat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/subgraph","download_url":"https://codeload.github.com/subgraph/paxrat/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Fpaxrat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29046554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T13:30:40.038Z","updated_at":"2026-02-03T13:30:40.744Z","avatar_url":"https://github.com/subgraph.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# paxrat\n\npaxrat is a utility to set PaX flags on a set of binaries. \n\nSubgraph OS uses paxrat to maintain the PaX flags while running in installed \nand live mode. It should also work out of the box on other Debian-based \noperating systems. Other Linux variants have not been tested but in theory it \nshould also work provided the paths in the config file are correct (as well as \nthe hard-coded path to the `paxctl` binary).\n\n## Use cases\n\npaxrat is designed to address a number of use cases currently not supported by\nother utilities with a similar purpose.\n\nIt supports the following use cases:\n\n1. Running in file-systems that support extended file attributes as well as\nthose that don't (such as SquashFS in a live disc or docker container)\n2. Runnable as a hook to a package manager such as dpkg\n3. Runnable in inotify-based watcher mode to set flags when files have changed \nsuch as during system updates (similar to \n[paxctld](https://grsecurity.net/download.php))\n4. Setting flags on a batch of binaries or just one\n\n# Configuration\n\npaxrat configuration is provided via a JSON file that lists each binary, the \nPaX flags, and a `nonroot` setting to specify whether the target binary is \nnot root-owned (paxrat will not set PaX flags on non-root owned binaries unless\nthis is set to `true`). By default paxrat will look for binary divertions using\n`dpkg-divert`, this can be disabled by using the `nodivert` setting.\n\nThe default configuration file for paxrat is located in \n`/etc/paxrat/paxrat.conf`. Running paxrat with no configuration file argument \nwill automatically use this file to set PaX flags.\n\npaxrat also supports optional configuration files from the \n`/etc/paxrat/conf.d/` directory files. This is for user created configuration. \npaxrat must be run with no `-c` argument to use the files in this directory.\n\n## Configuration example\n\nThe following is an example configuration:\n```json\n{\n  \"/usr/lib/iceweasel/iceweasel\": {                                                     \n    \"flags\": \"pm\"\n  },                                                                            \n  \"/usr/lib/iceweasel/plugin-container\": {                                                                  \n    \"flags\": \"m\"\n  },\n  \"/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/firefox\": {\n    \"flags\": \"pm\",\n    \"nonroot\": true\n  }\n}\n```\n\n# Usage\n\n## Default mode\n\nWhen paxrat is run without a configuration file (without `-c`) argument, it will use \nthe configuration file found in `/etc/paxrat/paxrat.conf` to set PaX flags. \nIt will also scan `/etc/paxrat/conf.d/` for additional configuration files. The \n`/etc/paxrat/conf.d/` directory can be used for user configurations. This is \nthe *preferred* mode of operation.\n\n\n```sh\n$ sudo paxrat\n```\n\n## Set flags on a single binary\n\n```sh\n$ sudo paxrat -s pm -b /usr/lib/iceweasel/iceweasel \n```\n\n## Set all flags from a non-default config file\n\n```sh\n$ sudo paxrat -c paxrat.conf \n```\n \n## Test to make sure the provided config file is valid\n\n```sh\n$ sudo paxrat -c paxrat.conf -t\n```\n\n## Run in watcher mode\n```sh\n$ sudo paxrat -c paxrat.conf -w\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Fpaxrat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubgraph%2Fpaxrat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Fpaxrat/lists"}