The noexec_user_stack and noexec_user_stack_log system variables are deprecated. However, if the variables remain in the /etc/system file, the protection of executable stacks is ensured by the following enforcement:
If noexec_user_stack is set to 1, the value of nxstack remains enabled for all processes.
If noexec_user_stack is set to 0, the value of nxstack becomes tagged-files.
If noexec_user_stack_log is set to 1, log files of error messages are kept.
If noexec_user_stack_log is set to 0, log files of error messages are not kept.
For a description of the security risks of 32-bit executable stacks, see Protecting the Process Heap and Executable Stacks From Compromise.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
For example, on a SPARC platform that supports ADI, the output is similar to the following:
$ sxadm status EXTENSION STATUS FLAGS adiheap enabled (all) u-c-- adistack enabled (tagged-files) u-c-- ...
For parseable output, specify the parameters with the –po options:
$ sxadm status -po extension,status,configuration aslr:enabled.tagged-files:enabled.default nxheap:enabled.tagged-files:enabled.default nxstack:enabled.all:enabled.default ...
If the nxheap or nxstack security extensions show values other than the default values, delete the customizations. In the example output, you would run the following commands:
# sxadm delcust nxheap # sxadm status aslr enabled (tagged-files) u-c-- nxheap enabled (tagged-files) u-c-- nxstack enabled (all) u-c--
The logs for nxheap and nxstack are stored in the /var/adm/messages file.
# sxadm set log=disable nxheap # sxadm set log=disable nxstack # sxadm get log EXTENSION PROPERTY VALUE ... nxstack log disable nxheap log disable
If you disable noexec_user_stack in the /etc/system file but do not remove the entry, binaries that are tagged continue to be protected. This tagged-files configuration allows binaries that can only succeed when their stack is executable to succeed, while protecting most executable stacks from malicious code. For more information, see nxstack and noexec_user_stack Compatibility.