noexec_user_stack
Parameter
Note:
Althoughnoexec_user_stack
is still operational, this parameter is deprecated in this Oracle Solaris release. Use the nxheap
and nxstack
security extensions instead. You can control and configure Oracle Solaris extensions at the system level and at the process level with the sxadm
command. For procedures and examples that show the use of nxheap
and nxstack
, see Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.4. For more information about the sxadm
command, see the sxadm
(8) man page. For guidelines to secure and harden Oracle Solaris, see Oracle Solaris 11.4 Security and Hardening Guidelines.
- Description
-
Enables the stack to be marked as nonexecutable, which helps make buffer-overflow attacks more difficult.
An Oracle Solaris system running a 64-bit kernel makes the stacks of all 64-bit applications nonexecutable by default. Setting this parameter is necessary to make the stacks of all 32-bit applications nonexecutable by default if they weren't linked with the nxstack security extensions flag. This parameter, together with
noexec_user_stack_log
, can be set in a file in the/etc/system.d
directory. See Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.4. - Data Type
-
Signed integer
- Default
-
0 (disabled)
- Range
-
0 (disabled) or 1 (enabled)
- Units
-
Toggle (on/off)
- Dynamic?
-
Yes. Does not affect currently running processes, only processes created after the value is set.
- Validation
-
None
- When to Change
-
Should be enabled at all times unless applications are deliberately placing executable code on the stack without using
mprotect
to make the stack executable. For more information, see themprotect
(2) man page. - Commitment Level
-
Unstable