From: <Saved by Microsoft Internet Explorer 5>
Subject: Solaris: disable executable stack
Date: Wed, 14 Nov 2001 08:40:25 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_0057_01C16CE8.015625C0";
	type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

This is a multi-part message in MIME format.

------=_NextPart_000_0057_01C16CE8.015625C0
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/1999-06-22.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: 1999-06-22.html,v 1.2 1999/08/10 18:49:14 reggers Exp $ =
--><HTML><HEAD><TITLE>Solaris: disable executable stack</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type><LINK=20
href=3D"mailto:reggers@ist.uwaterloo.ca" rev=3Dmade>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY =
background=3Dhttp://ist.uwaterloo.ca/security/howto/images/back.jpg>
<HR>

<TABLE width=3D"100%">
  <TBODY>
  <TR>
    <TD align=3Dleft>
      <H2>Solaris: disable executable stack</H2>
      <H4>Information Systems and Technology <BR>University of Waterloo=20
      <BR>22-Jun-1999</H4></TD>
    <TD align=3Dright><A href=3D"http://ist.uwaterloo.ca/"><IMG =
alt=3D[IST] border=3D0=20
      height=3D75 src=3D"http://ist.uwaterloo.ca/ISTlogo.gif" =
width=3D75></A>=20
  </TD></TR></TBODY></TABLE>
<HR>

<H3>Synopsis</H3>
<BLOCKQUOTE>Many security compromises can be traced to a "stack buffer=20
  overflow exploit" -- Solaris 2.6 and subsequent versions have a system =
setting=20
  that will disable that exploit for at least some hardware platforms. =
This=20
  requires the addition of a couple of lines to the file =
<B>/etc/system</B> and=20
  then a system reboot to take effect.=20
  <P>For Solaris systems where you can disable those exploits we =
<EM>strongly=20
  encourage</EM> that the system be configured to do so. <EM>Note that =
there may=20
  be some applications which will break if this security setting is =
configured=20
  -- we've not found any as yet!</EM> </P></BLOCKQUOTE>
<H3>Reference</H3>
<BLOCKQUOTE>A reference to this feature of Solaris is found in Casper =
Dik's=20
  Solaris FAQ (regularly published on Usenet in the newsgroup=20
  <B>comp.unix.solaris</B> also <A=20
  href=3D"http://www.faqs.org/faqs/Solaris2/FAQ/index.html">on file</A> =
at the <A=20
  href=3D"http://www.faqs.org/">FAQ Consortium</A>):=20
  <BLOCKQUOTE>7.2) How can I guard my system against stack buffer =
overflow=20
    exploits?=20
    <BLOCKQUOTE>By default, the Solaris kernel maps the system stack =
RWX; this=20
      behaviour is mandated by the SPARC V8 ABI. Since an non-executable =
stack=20
      gets in the way of certain classes of security bug exploits, a =
feature was=20
      added to Solaris 2.6 that allows system administrators to remove =
the "X"=20
      protection from the stack.=20
      <P>To enable this feature, add the following to /etc/system:=20
      <BLOCKQUOTE><PRE>* Foil certain classes of bug exploits
set noexec_user_stack =3D 1

* Log attempted exploits
set noexec_user_stack_log =3D 1
</PRE></BLOCKQUOTE>This is no general "cure-all" protection for buffer=20
      overflow exploits. It may also break certain SPARC V8 ABI =
conforming=20
      programs.=20
      <P>This feature also requires hardware support; it is only =
available on=20
      UltraSPARC (sun4u), sun4d and sun4m systems.=20
      <P>The SPARC V9 ABI no longer maps the stack executable, so 64 bit =

      applications have less to worry about. </P></BLOCKQUOTE>
    <DIV align=3Dright><EM>(from) Solaris 2 Frequently Asked Questions =
(FAQ)=20
    1.68</EM> </DIV></BLOCKQUOTE>See also the <A=20
  =
href=3D"http://sun560.uwaterloo.ca:8888/ab2/coll.47.4/SYSADMIN1/@Ab2PageV=
iew/idmatch(SECCONCEPTS-35)?#SECCONCEPTS-35">What's=20
  New</A> part in "<EM>Managing System Security</EM>" in the Solaris 2.6 =

  Answerbook. That's also a very good description of the feature but =
makes no=20
  mention that the feature is only supported on some platforms. =
</BLOCKQUOTE>
<H3>Implementation</H3>
<BLOCKQUOTE>Here's what you have to do to configure a system with the=20
  "noexec_user_stack" setting. Note that you will need to be the root =
user to=20
  change the system configuration and reboot:=20
  <OL>
    <LI>Verify that your system is a version of Solaris on a hardware =
platform=20
    which can support the "noexec_user_stack" setting; use the =
<B>uname</B>=20
    command:=20
    <BLOCKQUOTE><PRE>[9:15am xsv] <B>uname -a</B>
SunOS xsv 5.6 Generic sun4m sparc SUNW,SPARCstation-4
</PRE></BLOCKQUOTE>The FAQ notes the setting is only available on SunOS =
5.6=20
    and later and it's only supported on the sun4u, sun4d and sun4m =
hardware=20
    platforms. The <B>uname</B> command tells you what you need to know. =

    <P></P>
    <LI>Save a copy of the <B>/etc/system</B> configuration in case you =
need to=20
    restore it (in this and subsequent steps you'll need to be the root =
user):=20
    <BLOCKQUOTE><PRE>[9:16am xsv] <B>cp /etc/system /etc/system.orig</B>
</PRE></BLOCKQUOTE>If things get really messed up you can boot in single =

    user mode and restore the system configuration file -- this =
shouldn't be=20
    necessary but it's prudent to keep a copy.=20
    <P></P>
    <LI>Edit the <B>/etc/system</B> configuration to add these lines:=20
    <BLOCKQUOTE><PRE>[9:17am] <B>tail /etc/system</B>
<EM>....etc...</EM>
* Foil certain classes of bug exploits
set noexec_user_stack =3D 1

* Log attempted exploits
set noexec_user_stack_log =3D 1
</PRE></BLOCKQUOTE>Note that the configuration does not take effect =
until=20
    the system is rebooted.=20
    <P></P>
    <LI>Finally reboot your system to have the settings take effect:=20
    <BLOCKQUOTE>[9:17am] <B>reboot</B> </BLOCKQUOTE>The reboot command =
is found=20
    as <B>/usr/sbin/reboot</B>. There are other methods to halt and =
reboot the=20
    system -- "<B>init 6</B>" seems to be the vendor recommended method =
(it's=20
    the System V way). </LI></OL>
  <P>That's all you need to do to enable this important security =
feature. It=20
  will mean that a large class of exploits are prevented -- you can rest =
a=20
  little easier knowing that many breakins are now impossible.=20
  <P>We first were made aware of this feature in June of 1999 and =
configured our=20
  workstations accordingly. They've run fine since with no ill effects =
as yet.=20
  We see no reason to not use this configuration as the default and have =
great=20
  difficulty imagining any legitimate program which would need to =
execute code=20
  from the stack.=20
  <P><EM>If anyone encounters an application that fails because of this =
security=20
  setting we are very interested -- please let us know if anything =
breaks!</EM>=20
  </P></BLOCKQUOTE>
<H3>Acknowledgments</H3>
<BLOCKQUOTE>This Solaris security feature was first brought to our =
attention=20
  by Robyn Landers of MFCF and he bumped into the feature at the <A=20
  =
href=3D"http://www.usenix.org/publications/library/proceedings/lisa98/">1=
998=20
  USENIX LISA</A>. Many thanks to Robyn for bringing this to our =
attention. Many=20
  thanks also to Dawn Whiteside for her testing on her personal work =
station.=20
</BLOCKQUOTE>
<P>
<HR>

<DIV align=3Dright><SMALL><I>22-Jun-1999; <A=20
href=3D"mailto:reggers@ist.uwaterloo.ca">Reg Quinton</A></I>=20
</SMALL></DIV></BODY></HTML>

------=_NextPart_000_0057_01C16CE8.015625C0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif

R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq
PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww
MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I
CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO
C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL
KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH
oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC
BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W
MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21
AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by
WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ
BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF
u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5
peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI
qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh
tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a
pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi
gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb
R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx
Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy
TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S
9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs=

------=_NextPart_000_0057_01C16CE8.015625C0
Content-Type: image/jpeg
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg

/9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA
SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB
Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4
QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA
AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA
AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD/////
////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP//////
//////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA
AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM
DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR
DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR
AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC
AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz
NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV
5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi
EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1
4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR
AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT
rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH
ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0
QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT
qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh
qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw
AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu
lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM
p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k=

------=_NextPart_000_0057_01C16CE8.015625C0--