test

System Administration Guide: Security Services

Executable Stacks and Security

A number of security bugs are related to default executable stacks when their permissions are set to read, write, and execute. While stacks with execute permissions are allowed, most programs can function correctly without using executable stacks.

The noexec_user_stack variable enables you to specify whether stack mappings are executable. The variable is available as of the Solaris 2.6 release. By default, the variable is set to zero, except on 64-bit applications, which provides ABI-compliant behavior. If the variable is set to non-zero, the system marks the stack of every process in the system as readable and writable, but not executable.

Once this variable is set, programs that attempt to execute code on their stack are sent a SIGSEGV signal, which usually results in the program terminating with a core dump. Such programs also generate a warning message that includes the name of the offending program, the process ID, and the real UID of the user who ran the program. For example:


a.out[347] attempt to execute code on stack by uid 555

The message is logged by the syslog daemon when the syslog kern facility is set to notice level. This logging is set by default in the syslog.conf file, which means that the message is sent to both the console and the /var/adm/messages file. For more information, see the syslogd(1M) and syslog.conf(4) man pages.

The syslog message is useful for observing potential security problems. The message also identifies valid programs that depend upon executable stacks that have been prevented from correct operation by setting this variable. If the administrator does not want any messages logged, then the noexec_user_stack_log variable can be set to zero in the /etc/system file. Even though messages are not being logged, the SIGSEGV signal can continue to cause the executing program to core dump.

You can use the mprotect() function if you want programs to explicitly mark their stack as executable. For more information, see the mprotect(2) man page.

Because of hardware limitations, the capability of catching and reporting executable stack problems is only available on sun4m and sun4u platforms.

How to Disable Programs From Using Executable Stacks

  1. Become superuser or assume an equivalent role.

  2. Edit the /etc/system file and add the following line:


    set noexec_user_stack=1

  3. Reboot the system.


    # init 6

How to Disable Executable Stack Message Logging

  1. Become superuser or assume an equivalent role.

  2. Edit the /etc/system file and add the following line:


    set noexec_user_stack_log=0

  3. Reboot the system.


    # init 6