debugging with PaX+Linux+Eclipse, executing script after build to remove PaX protections

Question

I am Linux PaX user and therefore to debug any binary I need to disable protection flags (per binary) using paxctl command. PaX gives user protection against buffer overflow attacks and such by randomization, but it also prohibits meaningfull debugging. I could do this manually, however I'd have to repeat it after every rebuild. I was thinking about these 4 options:

1. Disabling PaX temporarily using /proc/sys/kernel/pax/softmode
2. Having Eclipse run some kind of batch file after build (or modifying default makefile)
3. Removing a bit of PaX from kernel to preserve adress space (as Gentoo docs suggests)
4. Making Eclipse CDT debugger (gdb) use hardware breakpoints (hbreak) instead of normal ones (break)

2) seems a way to go here (w/o sacrificing security or performance).

Is there any way to execute scripts/batch_files after (re)build?

And there is another problem, even if I somehow manage to run script that does disable protections, how do I make it secure so it could not be used by someone else? I was thinking about having ide run under "eclipse" user which would be in appropriate group to execute paxctl or something like that.

Thank you in advance for any tips.

Answer 1

Have you considered disabling PaX for you executable/library only ? You could do so by adding in Project Properties > Build > Settings > Build Steps > Post-build Steps :

/sbin/paxctl -pemrxs <your_artifact_name>