JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 1M: System Administration Commands     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Introduction

System Administration Commands - Part 1

System Administration Commands - Part 2

luxadm(1M)

mail.local(1M)

makedbm(1M)

makemap(1M)

masfcnv(1M)

mdlogd(1M)

mdmonitord(1M)

mdnsd(1M)

medstat(1M)

metaclear(1M)

metadb(1M)

metadetach(1M)

metadevadm(1M)

metahs(1M)

metaimport(1M)

metainit(1M)

metaoffline(1M)

metaonline(1M)

metaparam(1M)

metarecover(1M)

metarename(1M)

metareplace(1M)

metaset(1M)

metassist(1M)

metastat(1M)

metasync(1M)

metattach(1M)

mib2mof(1M)

mibiisa(1M)

mkbootmedia(1M)

mkdevalloc(1M)

mkdevmaps(1M)

mkfifo(1M)

mkfile(1M)

mkfs(1M)

mkfs_pcfs(1M)

mkfs_udfs(1M)

mkfs_ufs(1M)

mknod(1M)

mkntfs(1M)

mkpwdict(1M)

modinfo(1M)

modload(1M)

modunload(1M)

mofcomp(1M)

mofreg(1M)

monacct(1M)

monitor(1M)

mount(1M)

mountall(1M)

mountd(1M)

mount_hsfs(1M)

mount_nfs(1M)

mount_pcfs(1M)

mount_smbfs(1M)

mount_tmpfs(1M)

mount_udfs(1M)

mount_ufs(1M)

mpathadm(1M)

mpstat(1M)

msgid(1M)

mvdir(1M)

named(1M)

named-checkconf(1M)

named-checkzone(1M)

named-compilezone(1M)

ncaconfd(1M)

ncheck(1M)

ncheck_ufs(1M)

ndd(1M)

ndmpadm(1M)

ndmpd(1M)

ndmpstat(1M)

netadm(1M)

netcfg(1M)

netcfgd(1M)

netservices(1M)

netstat(1M)

netstrategy(1M)

newaliases(1M)

newfs(1M)

newkey(1M)

nfs4cbd(1M)

nfsd(1M)

nfslogd(1M)

nfsmapid(1M)

nfsref(1M)

nfsstat(1M)

nscadm(1M)

nscd(1M)

nscfg(1M)

nsdb-list(1M)

nsdb-nces(1M)

nsdbparams(1M)

nsdb-resolve-fsn(1M)

nsdb-update-nci(1M)

nslookup(1M)

nsupdate(1M)

ntfscat(1M)

ntfsclone(1M)

ntfscluster(1M)

ntfscmp(1M)

ntfscp(1M)

ntfsfix(1M)

ntfsinfo(1M)

ntfslabel(1M)

ntfsls(1M)

ntfsprogs(1M)

ntfsresize(1M)

ntfsundelete(1M)

nulladm(1M)

nwamd(1M)

obpsym(1M)

oplhpd(1M)

pageout(1M)

parted(1M)

pbind(1M)

pcitool(1M)

pfedit(1M)

pginfo(1M)

pgstat(1M)

picld(1M)

ping(1M)

pkg2du(1M)

pkgadd(1M)

pkgadm(1M)

pkgask(1M)

pkgchk(1M)

pkgcond(1M)

pkg.depotd(1M)

pkgrm(1M)

pkg.sysrepo(1M)

plockstat(1M)

pntadm(1M)

polkit-is-privileged(1M)

pooladm(1M)

poolbind(1M)

poolcfg(1M)

poold(1M)

poolstat(1M)

ports(1M)

poweradm(1M)

poweroff(1M)

powertop(1M)

pppd(1M)

pppoec(1M)

pppoed(1M)

pppstats(1M)

praudit(1M)

prctmp(1M)

prdaily(1M)

projadd(1M)

projdel(1M)

projmod(1M)

prstat(1M)

prtacct(1M)

prtconf(1M)

prtdiag(1M)

prtdscp(1M)

prtfru(1M)

prtpicl(1M)

prtvtoc(1M)

psradm(1M)

psrinfo(1M)

psrset(1M)

pwck(1M)

pwconv(1M)

quot(1M)

quota(1M)

quotacheck(1M)

quotaoff(1M)

quotaon(1M)

rad(1M)

raidctl(1M)

ramdiskadm(1M)

rarpd(1M)

rcapadm(1M)

rcapd(1M)

rctladm(1M)

rdate(1M)

rdisc(1M)

reboot(1M)

rem_drv(1M)

remove_allocatable(1M)

removef(1M)

reparsed(1M)

repquota(1M)

restricted_shell(1M)

rexd(1M)

rexecd(1M)

rlogind(1M)

rmmount(1M)

rmt(1M)

rmvolmgr(1M)

rndc(1M)

rndc-confgen(1M)

roleadd(1M)

roledel(1M)

rolemod(1M)

root_archive(1M)

route(1M)

routeadm(1M)

routed(1M)

rpcbind(1M)

rpc.bootparamd(1M)

rpcinfo(1M)

rpc.mdcommd(1M)

rpc.metad(1M)

rpc.metamedd(1M)

rpc.metamhd(1M)

rpc.rexd(1M)

rpc.rstatd(1M)

rpc.rusersd(1M)

rpc.rwalld(1M)

rpc.smserverd(1M)

rpc.sprayd(1M)

rpc.yppasswdd(1M)

rpc.ypupdated(1M)

rquotad(1M)

rsh(1M)

rshd(1M)

rstatd(1M)

rtc(1M)

rtquery(1M)

runacct(1M)

rusersd(1M)

rwall(1M)

rwalld(1M)

rwhod(1M)

sa1(1M)

sa2(1M)

sadc(1M)

sar(1M)

sasinfo(1M)

savecore(1M)

sbdadm(1M)

sched(1M)

sckmd(1M)

scmadm(1M)

sconadm(1M)

sendmail(1M)

sftp-server(1M)

shadowd(1M)

shadowstat(1M)

share(1M)

shareall(1M)

sharectl(1M)

share_nfs(1M)

share_smb(1M)

showmount(1M)

shutacct(1M)

shutdown(1M)

slpd(1M)

smattrpop(1M)

smbadm(1M)

smbd(1M)

smbiod(1M)

smbiod-svc(1M)

smbios(1M)

smbstat(1M)

smrsh(1M)

smtp-notify(1M)

sndradm(1M)

sndrd(1M)

sndrsyncd(1M)

snmpdx(1M)

snmp-notify(1M)

snmpXwbemd(1M)

snoop(1M)

soconfig(1M)

soladdapp(1M)

soldelapp(1M)

solstice(1M)

sppptun(1M)

spray(1M)

sprayd(1M)

srptadm(1M)

sshd(1M)

ssh-keysign(1M)

startup(1M)

statd(1M)

stclient(1M)

stmfadm(1M)

stmsboot(1M)

strace(1M)

strclean(1M)

strerr(1M)

sttydefs(1M)

su(1M)

sulogin(1M)

suriadm(1M)

svadm(1M)

svcadm(1M)

svcbundle(1M)

svccfg(1M)

svc.configd(1M)

svc.ipfd(1M)

svc.startd(1M)

swap(1M)

sxadm(1M)

sync(1M)

syncinit(1M)

syncloop(1M)

syncstat(1M)

sysconfig(1M)

sysdef(1M)

syseventadm(1M)

syseventconfd(1M)

syseventd(1M)

syslogd(1M)

talkd(1M)

tapes(1M)

telnetd(1M)

tftpd(1M)

th_define(1M)

th_manage(1M)

tic(1M)

tncfg(1M)

tnchkdb(1M)

tnctl(1M)

tnd(1M)

tninfo(1M)

tpmadm(1M)

traceroute(1M)

trapstat(1M)

ttymon(1M)

tunefs(1M)

turnacct(1M)

txzonemgr(1M)

tzreload(1M)

tzselect(1M)

uadmin(1M)

ucodeadm(1M)

ufsdump(1M)

ufsrestore(1M)

umount(1M)

umountall(1M)

System Administration Commands - Part 3

sxadm

- manage security extensions configuration

Synopsis

/usr/sbin/sxadm enable [-c conf=value[,conf=value,...]
     extension[ extension...]
/usr/sbin/sxadm disable extension[ extension...]
/usr/sbin/sxadm delcust extension[ extension...]
/usr/sbin/sxadm exec [-s extension=value]... command
/usr/sbin/sxadm info [-p] [extension]
/usr/sbin/sxadm help [subcommand]

Description

The sxadm command controls and configures Solaris security extensions both at the system level (global zone, non-global zone) and at the process level (/usr/sbin/sxadm exec).

The enable and disable subcommands enable and disable a given security extension system-wide. The -c option passes extension-specific configuration information to enable. The delcust subcommand resets an extension to the out-of-the-box default configuration.

The info subcommand reports the status of security extensions for the current zone. The -p option produces easily parseable output for external consumers.

The exec subcommand allows you to control the status of a given security extension at the process level. The specified command is executed with the security extension configured as expressed by any -sextension=value entry following the exec subcommand. Security extensions that are configured on the command line are inherited by child processes.

Security Extensions

Security extensions for a process are determined during exec(2) and become effective for a process upon exit from the exec(2) system call. Extensions persist for the lifetime of the process until the process exits or calls exec(2) again.

ASLR - Address Space Layout Randomization

ASLR activates the randomization of key areas of the process such as stack, brk-based heap, memory mappings, and so forth.

By default, the global zone and all non-global zones boot with ASLR enabled only for tagged binaries. Tagged binaries are built using the link-editor's -z aslr option. See the Address Space Layout Randomization (ASLR) section in the Developer's Guide to Oracle Solaris 11 Security for more details. Many core Solaris binaries are tagged with ASLR enabled. The sxadm enable, disable, and restore subcommands can be used to configure ASLR system-wide. ASLR configuration values for sxadm enable are:

model=all

Enable ASLR for all processes.

model=tagged-files

Enable ASLR for tagged binaries only.

model=default

Follow system default. Currently: tagged-files

ASLR configuration values for the sxadm exec command are:

aslr=enable

Enable ASLR for the process.

aslr=disable

Disable ASLR for the process.

ASLR is not supported for Solaris 10 Containers.

Sub-commands

The sxadm command has the following subcommands:

sxadm enable [-c conf=value[,conf=value,...] extension[,extension]

Enable the specified extension for the current zone. The -c option allows sxadm to pass configuration information for the specific extension.

Multiple extensions and multiple configuration values can both be specified on the command line, although if the configuration value does not apply to all extensions, the command will fail. Most common uses of this command are thus:

% sxadm enable extension1 extension2

Also:

% sxadm enable -c prop=value,prop2=value2 extension

See the Examples section for more examples.

sxadm disable extension[,extension]

Disable the specified extension for the current zone.

sxadm delcust extension[,extension]

Restore the extension to the default (out-of-the-box) configuration.

sxadm info [-p] [extension]

Report information on the status of all security extensions for the current zone. If -p is specified, the output is displayed in an easily parseable format. Specifying an extension on the command line filters for the specific extension.

Machine parseable output is a list of colon-separated fields:

extension_name:status[.extra]:configuration[.extra]

where:

extension_name

The name of the extension.

status

The current status for the extension (enabled or disabled).

extra

Represents (significant) extra information that the extension wishes to report. As an example, in the ASLR case, if ASLR is enabled, extra can either be tag or all depending on the model.

configuration

The stored configuration for the extension (enabled, disabled, or system default)

The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components, extension_name, status, extra, and configuration.

sxadm exec -s [extension=value]... command

Execute the specified command with a specific configuration for security extensions. For each security extension not explicitly configured on the command line, the system configuration is used. Child processes eventually spawned by command inherit the same security extension configuration that was specified on the command line. set-uids and privileged binaries do not inherit any configuration. Multiple configurations can be expressed on a single command line using multiple -s options. If the same extension is configured more than once, the last occurrence takes precedence. For example:

% sxadm exec -s aslr=disable -s aslr=enable /usr/bin/pmap

...executes /usr/bin/pmap with aslr enabled.

The sxadm exec subcommand is designed to accommodate the common case in which a debugger is applied to a single process started directly by the debugger. It may not be sufficient for more complex scenarios. In such cases, it may be necessary to use sxadm to change the system or zone level security extension defaults, or to apply per-object tagging using the ld(1) utility, in order to facilitate debugging.

sxadm help [subcommand]

Display usage information about sxadm or more detailed information for each subcommand.

Examples

Example 1 Executing pmap Binary

The sxadm command below executes the pmap binary with ASLR disabled at runtime.

bash$ pmap self
# memory addresses are randomized
101731: pmap self
101731: pmap self
0000000000400000         28K r-x--  /usr/bin/pmap
0000000000417000          4K rw---  /usr/bin/pmap
0000000000418000          8K rw---  /usr/bin/pmap
000003B0E8DF8000         36K rw---    [ heap ]
[...]
FFFFF843B8098000        344K r-x--  /lib/amd64/ld.so.1
FFFFF843B80FE000         12K rwx--  /lib/amd64/ld.so.1
FFFFF843B8101000          8K rwx--  /lib/amd64/ld.so.1
FFFFFBF4A14E0000         12K rw---    [ stack ]
      total         2592K

bash$ sxadm exec aslr=disable /usr/bin/pmap self
101733: /usr/bin/pmap self
101733: /usr/bin/pmap self
0000000000400000         28K r-x--  /usr/bin/pmap
0000000000417000          4K rw---  /usr/bin/pmap
0000000000418000         40K rw---    [ heap ]
[...]
FFFFFD7FFF394000        344K r-x--  /lib/amd64/ld.so.1
FFFFFD7FFF3FA000         12K rwx--  /lib/amd64/ld.so.1
FFFFFD7FFF3FD000          8K rwx--  /lib/amd64/ld.so.1
FFFFFD7FFFDFD000         12K rw---    [ stack ]
      total         2588K

Example 2 Displaying Information about the Security Extensions Configuration

The following sxadm info commands display information about the security extensions configuration.

bash$ sxadm info -p
aslr:enabled.tagged-files:system default.default
bash$ sxadm info
EXTENSION        STATUS                   CONFIGURATION
aslr             enable (tagged-files)    system default (default)
bash$ sxadm enable -c model=all aslr
bash$ sxadm info
EXTENSION        STATUS                   CONFIGURATION
aslr             enable (all)             enable (all)
bash$ sxadm info -p
aslr:enabled.all:enabled.all

Example 3 Reset to Default Configuration

The following command sxadm delcust command restores the extension to the default, out-of-the-box configuration.

bash$ sxadm info
EXTENSION        STATUS                   CONFIGURATION
aslr             enable (all)             enable (all)
bash$ sxadm delcust aslr
bash$ sxadm info
EXTENSION        STATUS                   CONFIGURATION
aslr             enable (tagged-files)    system default (default)

Example 4 Running a Debugging Session

The following command sequence illustrates a debugging session being conducted with ASLR disabled.

bash$ sxadm exec -s aslr=disable /bin/bash
bash$
# Because all processes (except privileged ones) inherit the (disabled)
# aslr configuration mdb, truss & co will have repeatable results.

bash$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE590000
[...]
bash$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE590000
[...]
bash$ truss -t mmap /bin/true
mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5B0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE5A0000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0)
= 0xFE590000

Exit Status

0

The command completed successfully.

1

The command exited due to an error.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
Committed

See Also

ld(1), exec(2), attributes(5)

Oracle Solaris 11.1 Administration: Security Services

Address Space Layout Randomization (PaxTeam). Under http://pax.grsecurity.net/

Address Space Layout Randomization in Windows Vista. Under http://blogs.msdn.com/b/michael_howard/

Address space randomization in 2.6. Under http://lwn.net/

Official mention on the web site of Library Randomization for Mac OS X Snow Leopard (Mac OS X Lion has full randomization). Under http://www.apple.com/macosx/security