The ia32 architecture has segments, which may be code or data, and pages which may have read and write permissions. It has three protection rings such that calls into more inner rings must be done through gates. For Linux, the kernel is in ring 0 and user processes run in ring 3. Rings 1 and 2 aren't used. There are two different segments, but they both cover the entire 32-bit address space so only page-level protections protect the kernel space from user space. This is done because most other archite
ctures have pages, but no segments. As a consequence execute permissions are not enforced by the hardware (you can execute any page you can read.) All of this is done in protected mode. Virtually every other general purpose architecture I know of has pages with read/write/execute permissions and just user/supervisor modes so effectively two rings. The Itanium has something much more convoluted, of course.