Skip Navigation Links | |
Exit Print View | |
man pages section 1M: System Administration Commands Oracle Solaris 11.1 Information Library |
- manage security extensions configuration
/usr/sbin/sxadm enable [-c conf=value[,conf=value,...] extension[ extension...]
/usr/sbin/sxadm disable extension[ extension...]
/usr/sbin/sxadm delcust extension[ extension...]
/usr/sbin/sxadm exec [-s extension=value]... command
/usr/sbin/sxadm info [-p] [extension]
/usr/sbin/sxadm help [subcommand]
The sxadm command controls and configures Solaris security extensions both at the system level (global zone, non-global zone) and at the process level (/usr/sbin/sxadm exec).
The enable and disable subcommands enable and disable a given security extension system-wide. The -c option passes extension-specific configuration information to enable. The delcust subcommand resets an extension to the out-of-the-box default configuration.
The info subcommand reports the status of security extensions for the current zone. The -p option produces easily parseable output for external consumers.
The exec subcommand allows you to control the status of a given security extension at the process level. The specified command is executed with the security extension configured as expressed by any -sextension=value entry following the exec subcommand. Security extensions that are configured on the command line are inherited by child processes.
Security extensions for a process are determined during exec(2) and become effective for a process upon exit from the exec(2) system call. Extensions persist for the lifetime of the process until the process exits or calls exec(2) again.
ASLR activates the randomization of key areas of the process such as stack, brk-based heap, memory mappings, and so forth.
By default, the global zone and all non-global zones boot with ASLR enabled only for tagged binaries. Tagged binaries are built using the link-editor's -z aslr option. See the Address Space Layout Randomization (ASLR) section in the Developer's Guide to Oracle Solaris 11 Security for more details. Many core Solaris binaries are tagged with ASLR enabled. The sxadm enable, disable, and restore subcommands can be used to configure ASLR system-wide. ASLR configuration values for sxadm enable are:
Enable ASLR for all processes.
Enable ASLR for tagged binaries only.
Follow system default. Currently: tagged-files
ASLR configuration values for the sxadm exec command are:
Enable ASLR for the process.
Disable ASLR for the process.
ASLR is not supported for Solaris 10 Containers.
The sxadm command has the following subcommands:
Enable the specified extension for the current zone. The -c option allows sxadm to pass configuration information for the specific extension.
Multiple extensions and multiple configuration values can both be specified on the command line, although if the configuration value does not apply to all extensions, the command will fail. Most common uses of this command are thus:
% sxadm enable extension1 extension2
Also:
% sxadm enable -c prop=value,prop2=value2 extension
See the Examples section for more examples.
Disable the specified extension for the current zone.
Restore the extension to the default (out-of-the-box) configuration.
Report information on the status of all security extensions for the current zone. If -p is specified, the output is displayed in an easily parseable format. Specifying an extension on the command line filters for the specific extension.
Machine parseable output is a list of colon-separated fields:
extension_name:status[.extra]:configuration[.extra]
where:
The name of the extension.
The current status for the extension (enabled or disabled).
Represents (significant) extra information that the extension wishes to report. As an example, in the ASLR case, if ASLR is enabled, extra can either be tag or all depending on the model.
The stored configuration for the extension (enabled, disabled, or system default)
The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components, extension_name, status, extra, and configuration.
Execute the specified command with a specific configuration for security extensions. For each security extension not explicitly configured on the command line, the system configuration is used. Child processes eventually spawned by command inherit the same security extension configuration that was specified on the command line. set-uids and privileged binaries do not inherit any configuration. Multiple configurations can be expressed on a single command line using multiple -s options. If the same extension is configured more than once, the last occurrence takes precedence. For example:
% sxadm exec -s aslr=disable -s aslr=enable /usr/bin/pmap
...executes /usr/bin/pmap with aslr enabled.
The sxadm exec subcommand is designed to accommodate the common case in which a debugger is applied to a single process started directly by the debugger. It may not be sufficient for more complex scenarios. In such cases, it may be necessary to use sxadm to change the system or zone level security extension defaults, or to apply per-object tagging using the ld(1) utility, in order to facilitate debugging.
Display usage information about sxadm or more detailed information for each subcommand.
Example 1 Executing pmap Binary
The sxadm command below executes the pmap binary with ASLR disabled at runtime.
bash$ pmap self # memory addresses are randomized 101731: pmap self 101731: pmap self 0000000000400000 28K r-x-- /usr/bin/pmap 0000000000417000 4K rw--- /usr/bin/pmap 0000000000418000 8K rw--- /usr/bin/pmap 000003B0E8DF8000 36K rw--- [ heap ] [...] FFFFF843B8098000 344K r-x-- /lib/amd64/ld.so.1 FFFFF843B80FE000 12K rwx-- /lib/amd64/ld.so.1 FFFFF843B8101000 8K rwx-- /lib/amd64/ld.so.1 FFFFFBF4A14E0000 12K rw--- [ stack ] total 2592K bash$ sxadm exec aslr=disable /usr/bin/pmap self 101733: /usr/bin/pmap self 101733: /usr/bin/pmap self 0000000000400000 28K r-x-- /usr/bin/pmap 0000000000417000 4K rw--- /usr/bin/pmap 0000000000418000 40K rw--- [ heap ] [...] FFFFFD7FFF394000 344K r-x-- /lib/amd64/ld.so.1 FFFFFD7FFF3FA000 12K rwx-- /lib/amd64/ld.so.1 FFFFFD7FFF3FD000 8K rwx-- /lib/amd64/ld.so.1 FFFFFD7FFFDFD000 12K rw--- [ stack ] total 2588K
Example 2 Displaying Information about the Security Extensions Configuration
The following sxadm info commands display information about the security extensions configuration.
bash$ sxadm info -p aslr:enabled.tagged-files:system default.default bash$ sxadm info EXTENSION STATUS CONFIGURATION aslr enable (tagged-files) system default (default) bash$ sxadm enable -c model=all aslr bash$ sxadm info EXTENSION STATUS CONFIGURATION aslr enable (all) enable (all) bash$ sxadm info -p aslr:enabled.all:enabled.all
Example 3 Reset to Default Configuration
The following command sxadm delcust command restores the extension to the default, out-of-the-box configuration.
bash$ sxadm info EXTENSION STATUS CONFIGURATION aslr enable (all) enable (all) bash$ sxadm delcust aslr bash$ sxadm info EXTENSION STATUS CONFIGURATION aslr enable (tagged-files) system default (default)
Example 4 Running a Debugging Session
The following command sequence illustrates a debugging session being conducted with ASLR disabled.
bash$ sxadm exec -s aslr=disable /bin/bash bash$ # Because all processes (except privileged ones) inherit the (disabled) # aslr configuration mdb, truss & co will have repeatable results. bash$ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000 [...] bash$ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000 [...] bash$ truss -t mmap /bin/true mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5B0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE5A0000 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFE590000
The command completed successfully.
The command exited due to an error.
See attributes(5) for descriptions of the following attributes:
|
Oracle Solaris 11.1 Administration: Security Services
Address Space Layout Randomization (PaxTeam). Under http://pax.grsecurity.net/
Address Space Layout Randomization in Windows Vista. Under http://blogs.msdn.com/b/michael_howard/
Address space randomization in 2.6. Under http://lwn.net/
Official mention on the web site of Library Randomization for Mac OS X Snow Leopard (Mac OS X Lion has full randomization). Under http://www.apple.com/macosx/security