nxstack and noexec_user_stack Compatibility - Securing Systems and Attached Devices in Oracle® Solaris 11.3

Language:

`nxstack` and `noexec_user_stack` Compatibility

The noexec_user_stack and noexec_user_stack_log system variables are deprecated. However, if the variables remain in the /etc/system file, the protection of executable stacks is ensured by the following enforcement:

If noexec_user_stack is set to 1, the value of nxstack remains enabled for all processes.
If noexec_user_stack is set to 0, the value of nxstack becomes tagged-files.
If noexec_user_stack_log is set to 1, log files of error messages are kept.
If noexec_user_stack_log is set to 0, log files of error messages are not kept.

How to Prevent the Execution of Malicious Code From the Process Stack and Process Heap

For a description of the security risks of 32-bit executable stacks, see Protecting the Process Heap and Executable Stacks From Compromise.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

View the status of the nxstack and nxheap security extensions.

The –p option provides parseable output. For example:

$ sxadm status
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        default (default)
nxstack             enabled (all)                 default (default)
nxheap              enabled (tagged-files)        default (default)

$ sxadm status -p
aslr:enabled (tagged-files):default (default)
nxstack:enabled (all):default (default)
nxheap:enabled (tagged-files):default (default)

Return the nxheap and nxstack security extensions to the default.
If the nxheap or nxstack security extensions show values other than the default values, delete the customizations. In the example output, you would run the following commands:
```
# sxadm delcust nxheap
# sxadm status
EXTENSION           STATUS                        CONFIGURATION
aslr                enabled (tagged-files)        default (default)
nxstack             enabled (all)                 default (default)
nxheap              enabled (tagged-files)        default (default)
```
The logs for nxheap and nxstack are stored in the /var/adm/messages file.

(Optional) To disable the logging of error messages, disable the log property.

# sxadm set log=disable nxheap
# sxadm set log=disable nxstack
# sxadm get log
EXTENSION           PROPERTY                      VALUE
...
nxstack             log                           disable
nxheap              log                           disable

Troubleshooting

If your nxstack setting is ignored, remove the noexec_user_stack and noexec_user_stack_log system variables from the /etc/system file. Then, enable the nxstack security extension again.

If you disable noexec_user_stack in the /etc/system file but do not remove the entry, binaries that are tagged continue to be protected. This tagged-files configuration allows binaries that can only succeed when their stack is executable to succeed, while protecting most executable stacks from malicious code. For more information, see nxstack and noexec_user_stack Compatibility.