executable_stack(5)						File Formats Manual					       executable_stack(5)

NAME

       executable_stack - controls whether program stacks are executable by default

VALUES

   Failsafe
   Default
   Allowed values
   Recommended values
DESCRIPTION

       This tunable parameter controls whether program stacks are executable by default.  It allows systems to be configured to have extra protec-
       tion from stack buffer overflow attacks without sacrificing system performance.	This class of attack very commonly attempts to trick priv-
       ileged  programs  into  performing  unauthorized  actions  or giving unauthorized access.  Background information on this type of attack is
       available on the web by searching for 'Smashing the Stack for Fun and Profit.'

       The majority of programs that run on HP-UX do not need to execute code located on their stacks.	A few programs, notably  some  simulators,
       interpreters  and  older  versions  of Java, may have a legitimate reason to execute code from their stacks.  These programs typically have
       self-modifying code.  Using a combination of this tunable and the option of the command permits such executables to function without sacri-
       ficing protection for the rest of the system.

       Refer to the 'Restricting Execute Permission on Stacks' section of the chatr(1) manpage for more information before changing this tunable.

   Who is Expected to Change This Tunable?
       Anyone.

   Restrictions on Changing
       Changes to this tunable take effect for new processes started after the change.

   When Should the Value of This Tunable Be Changed?
       This  tunable  controls	operational  modes  rather  than data structure sizes and limits.  The appropriate setting for a system depends on
       whether you consider security or compatibility to be most important.

       A value of is compatible with previous releases of HP-UX, but it is the least secure.  This setting permits the	execution  of  potentially
       malicious code located on a program's stack.

       A value of provides warnings about any program attempting to execute code on its stacks, but does not alter the program's behavior.  Suspi-
       cious activity is logged in the kernel's message buffers.  (See dmesg(1M).)  This is a 'trial mode' setting intended to allow you to safely
       determine whether a tunable value of would affect any legitimate application.

       A  tunable value of is the recommended setting on systems where a higher level of security is important.  This is essentially the same as a
       setting of but it will also terminate any process that attempts to execute code on its stacks.  The process will be terminated  before  the
       potentially malicious code is executed.

   What Are the Side Effects of Changing the Value
       This  tunable  has no effect on system behavior unless an application attempts to execute instructions located on its stacks.  The majority
       of HP-UX applications are not programmed to do this.

   What Other Tunable Values Should Be Changed at the Same Time?
       None.

WARNINGS

       All HP-UX kernel tunable parameters are release specific.  This parameter may be removed or have its meaning changed in future releases	of
       HP-UX.

       Installation  of  optional  kernel  software, from HP or other vendors, may cause changes to tunable parameter values.  After installation,
       some tunable parameters may no longer be at the default or recommended values.  For information about the effects of installation  on  tun-
       able  values,  consult  the documentation for the kernel software being installed.  For information about optional kernel software that was
       factory installed on your system, see at

AUTHOR

       was developed by HP.

							     Tunable Kernel Parameters					       executable_stack(5)