Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

nxstack and noexec_user_stack Compatibility

    The noexec_user_stack and noexec_user_stack_log system variables are deprecated. However, if the variables remain in the /etc/system file, the protection of executable stacks is ensured by the following enforcement:

  • If noexec_user_stack is set to 1, the value of nxstack remains enabled for all processes.

  • If noexec_user_stack is set to 0, the value of nxstack becomes tagged-files.

  • If noexec_user_stack_log is set to 1, log files of error messages are kept.

  • If noexec_user_stack_log is set to 0, log files of error messages are not kept.

How to Prevent the Execution of Malicious Code From the Process Stack and Process Heap

For a description of the security risks of 32-bit executable stacks, see Protecting the Process Heap and Executable Stacks From Compromise.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. View the status of the nxstack and nxheap security extensions.

    For example, on a SPARC platform that supports ADI, the output is similar to the following:

    $ sxadm status
    EXTENSION           STATUS                        FLAGS
    adiheap             enabled (all)                 u-c--
    adistack            enabled (tagged-files)        u-c--
    ...

    For parseable output, specify the parameters with the –po options:

    $ sxadm status -po extension,status,configuration
    aslr:enabled.tagged-files:enabled.default
    nxheap:enabled.tagged-files:enabled.default
    nxstack:enabled.all:enabled.default
    ...
  2. Return the nxheap and nxstack security extensions to the default.

    If the nxheap or nxstack security extensions show values other than the default values, delete the customizations. In the example output, you would run the following commands:

    # sxadm delcust nxheap
    # sxadm status
    aslr                enabled (tagged-files)        u-c--
    nxheap              enabled (tagged-files)        u-c--
    nxstack             enabled (all)                 u-c--

    The logs for nxheap and nxstack are stored in the /var/adm/messages file.

  3. (Optional) To disable the logging of error messages, disable the log property.
    # sxadm set log=disable nxheap
    # sxadm set log=disable nxstack
    # sxadm get log
    EXTENSION           PROPERTY                      VALUE
    ...
    nxstack             log                           disable
    nxheap              log                           disable

Troubleshooting

If your nxstack setting is ignored, remove the noexec_user_stack and noexec_user_stack_log system variables from the /etc/system file. Then, enable the nxstack security extension again.

If you disable noexec_user_stack in the /etc/system file but do not remove the entry, binaries that are tagged continue to be protected. This tagged-files configuration allows binaries that can only succeed when their stack is executable to succeed, while protecting most executable stacks from malicious code. For more information, see nxstack and noexec_user_stack Compatibility.