chatr_ia(1) General Commands Manual chatr_ia(1)
NAME
chatr_ia: chatr - change program's internal attributes on Integrity systems
SYNOPSIS
Format 1: for files with a single text segment and a single data segment
library] mode] mode] flag]
flag] flag] flag] flag] flag] flag] size] flag] flag] library] flag] flag] flag] flag] flag] size] size] flag] flag] flag] flag]
file ...
Format 2: for explicit specification of segments
address | index} mode] flag]
flag] flag] flag] flag] size] flag] flag] flag] flag] file ...
Remarks
This manpage describes on Integrity systems. For on PA-RISC systems, see chatr_pa(1).
DESCRIPTION
allows you to change a program's internal attributes for 32-bit and 64-bit ELF files.
There are two syntactic forms that can be used to invoke
o allows easy manipulation of ordinary files that have only a single text segment and a single data segment.
o allows explicit specification of the segments to be modified.
Upon completion, prints the file's old and new values to standard output unless is specified.
The and options only provide a hint for the virtual memory page size. The actual page sizes may vary. Under certain conditions, page size
hints of may result in better performance, depending on the specific memory requirements of the application.
The performance of some applications may benefit from static branch prediction, others may not. The option provides a hint for using or
avoiding this feature.
The and related options provide performance enhancements through use of global symbol table which improves searching for exported symbols.
See dld.so(5) and the for more information.
To use Format 2, first specify the segment you want to modify by address (with the option) or index (with the option), or specify all seg-
ments (with the option). Then use the or options to modify the segment attributes. You can include more than one segment on the command
line as long as you specify each segment with an or option, followed by the modifying options.
Options
Indicate that the specified shared library
is subject to run-time path lookup if directory path lists are provided (see and
Perform its operation silently.
Enable null pointer dereference trap.
Run-time dereference of null pointers will produce a SIGSEGV signal. (This is the complement of the option.)
Select run-time binding behavior mode of a program
using shared libraries. You must specify one of the binding modes or See the for a description of binding modes.
Disable null pointer dereference trap.
(This is the complement of the option.)
Control the address space model to be used by the kernel.
Possible values for mode are and The default value is currently equivalent to In order to set the mode to any value other
than the default, the binary should have been built with the compiler option to ensure that the text and data segments are
contiguous.
Control whether the embedded path list
stored when the program (if any) was built can be used to locate shared libraries needed by the program. The two flag val-
ues, and respectively enable and disable use of the embedded path list. However, you cannot use on an ELF file, and a warn-
ing message is issued. See the option. You can use the option to enable the embedded path for filter libraries.
(Format 2 only.) Enable or disable the code bit for a specified segment.
If this is enabled, it is denoted by the flag for the segment listing in the output.
Enable or disable the code bit for the file's data segment(s).
If this is enabled, it is denoted by the flag for the segment listing in the output.
Enable or disable the code bit for the file's text segments(s).
If this is enabled, it is denoted by the flag for the segment listing in the output.
Enable or disable the ability to run a program, and, after it is running,
attach to it with a debugger and set breakpoints in its dependent shared libraries. When enabled, this allows for mapping
the text segments of shared libraries in a private, writable region. Also, you can use this feature on individual shared
libraries, which makes the text segment mapped private. If contains the string "", all shared libraries are mapped private.
You can also specify a colon-separated list of shared library base names with this option, following an equal character; for
example:
Change the dynamic optimization setting. The flag
value enables dynamic optimizations for a load module (executable or shared library), if the run-time environment supports
this feature. The flag value prohibits dynamic optimizations for a load module. The flag value restores the default set-
ting, which allows the run-time environment to enable or disable dynamic optimizations for a load module.
(Format 2 only.) Enable or disable lazy swap allocation for dynamically
allocated segments (such as the stack or heap).
Control the ability of user code to execute from stack with the
flag values, and See the section below for additional information related to security issues.
Control whether the global symbol table hash mechanism is
used to look up values of symbol import/export entries. The two flag values, and respectively enable and disable use of the
global symbol table hash mechanism. The default is
Request a particular hash array
size using the global symbol table hash mechanism. The value can vary between 1 and The default value is 1103. Use this
option with This option works on files liked with the option.
Controls the preference of physical memory for the data segment.
This is only important on ccNUMA (Cache Coherent Non-Uniform Memory Architecture) systems. The flag value may be either
enable or disable. When enabled, the data segment will use interleaved memory. When disabled (the default), the data seg-
ment will use cell local memory. This behavior will be inherited across a but not an
For more information regarding ccNUMA, see pstat_getlocality(2).
Request kernel assisted branch prediction.
The flags and turn this request on and off, respectively.
Indicate that the specified shared library
is not subject to run-time path lookup if directory path lists are provided (see and
(Format 2 only.) Enable or disable the modification bit for a specified segment.
If this is enabled, it is denoted by the flag for the segment listing in the output.
Enable or disable the modification bit for the file's data segment(s).
If this is enabled, it is denoted by the flag for the segment listing in the output.
or the dynamic loader to automatically preload and also maps shared libraries as private. The library is used to support heap
analysis through GDB.
Enable or disable the shared library segment merging features.
When enabled, all data segments of shared libraries loaded at program startup are merged into a single block. Data segments
for each dynamically loaded library will also be merged with the data segments of its dependent libraries. Merging of these
segments increases run-time performance by allowing the kernel to use larger size page table entries.
Enable or disable the modification bit for the file's text segment(s).
If this is enabled, it is denoted by the flag for the segment listing in the output.
Enable or disable the
flag to control use of in calculating the absolute path of the working directory. Enabling the flag instructs the dynamic
loader to calculate the absolute path of the current working directory when the parent module (object module, shared
library, or executable) is first loaded. The loader then uses this path for all occurrences of The loader then uses this
path for all occurrences of in the dependent libraries.
If there are no occurrences of you should disable the flag, to avoid calculating the absolute path. By default, if is not
present, the flag is disabled.
(Format 2 only.) Set the page size for a specified segment.
Request a particular virtual memory page size that
should be used for data. Sizes of and are supported. A size of results in using the default page size. A size of results
in using the largest page size available. The actual page size may vary if the requested size cannot be fulfilled.
Request a particular virtual memory page size that
should be used for text (instructions). See the option for additional information.
Request static branch prediction when executing this
program. The flags and turn this request on and off, respectively. If this is enabled, it is denoted by the flag for the
segment listing in the output.
This is an to the option.
Control whether the directory path list specified with the
and environment variable can be used to locate shared libraries needed by the program. The two flag values, and respec-
tively enable and disable use of the environment variable. If both and are used, their relative order on the command line
indicates which path list will be searched first. See the option.
(Format 2 only.)
Specify a segment using an address for a set of attribute modifications.
(Format 2 only.)
Use all segments in the file for a set of attribute modifications.
(Format 2 only.)
Specify a segment using a segment index number for a set of attribute modifications.
Enable or disable lazy swap on all data segments (using FORMAT 1) or on a
specific segment (using 2). The flags and turn this request on or off respectively. May not be used with non-data seg-
ments.
Enable or disable dynamic instrumentation by
If enabled, the dynamic loader (see dld.so(5)) will automatically invoke upon program execution to collect profile informa-
tion.
Restricting Execute Permission on Stacks
A frequent or common method of breaking into systems is by maliciously overflowing buffers on a program's stack, such as passing unusually
long, carefully chosen command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this
technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
One simple yet highly effective way to reduce the risk from this type of attack is to remove the execute permission from a program's stack
pages. This improves system security without sacrificing performance and has no negative effects on the vast majority of legitimate appli-
cations. The changes described in this section only affect the very small number of programs that try to execute (or are tricked into exe-
cuting) instructions located on the program's stack(s).
If the stack protection feature described in this section is enabled for a program and that program attempts to execute code from its
stack(s), the HP-UX kernel will terminate the program with a signal, display a message referring to this manual page section, and log an
error message to the system message log (use to view the error message). The message logged by the kernel is:
If you see one of these messages, check with the program's owner to determine whether this program is legitimately executing code from its
stack. If it is, you can use one or both of the methods described below to make the program functional again. If the program is not
legitimately executing code from its stack, you should suspect malicious activity and take appropriate action.
HP-UX provides two options to permit legitimate execution from a program's stack(s). Combinations of these two options help make site-spe-
cific tradeoffs between security and compatibility.
The first method is the use of the option of and affects individual programs. It is typically used to specify that a particular binary
must be able to execute from its stack, regardless of the system default setting. This allows a restrictive system default while not pre-
venting legitimate programs from executing code on their stack(s). Ideally this option should be set (if needed) by the program's
provider, to minimize the need for manual intervention by whomever installs the program.
An alternate method is setting the kernel tunable parameter, to set a system-wide default for whether stacks are executable. Setting the
parameter to 1 (one) with (see sam(1M)) tells the HP-UX kernel to allow programs to execute on the program stack(s). Use this setting if
compatibility with older releases is more important than security. Setting the parameter to 0 (zero), the recommended setting, is appro-
priate if security is more important than compatibility. This setting significantly improves system security with minimal, if any, nega-
tive effects on legitimate applications.
Combinations of these settings may be appropriate for many applications. For example, after setting to 0, you may find that one or two
critical applications no longer work because they have a legitimate need to execute from their stack(s). Programs such as simulators or
interpreters that use self-modifying code are examples you might encounter. To obtain the security benefits of a restrictive system
default while still letting these specific applications run correctly, set to 0, and run on the specific binaries that need to execute code
from their stack(s). These binaries can be easily identified when they are executed, because they will print error messages referring to
this manual page.
The possible settings for are as follows:
A setting of 0 (the default value) causes stacks to be non-executable
and is strongly preferred from a security perspective.
A setting of 1
causes all program stacks to be executable, and is safest from a compatibility perspective but is the least secure setting for
this parameter.
A setting of 2
is equivalent to a setting of 0, except that it gives non-fatal warnings instead of terminating a process that is trying to
execute from its stack. Using this setting is helpful for users to gain confidence that using a value of 0 will not hurt their
legitimate applications. Again, there is less security protection.
The table below summarizes the results from using the possible combinations of and when executing from the program's stack. Running relies
solely on the setting of the kernel tunable parameter when deciding whether or not to grant execute permission for stacks and is equivalent
to not having run on the binary.
chatr +es executable_stack Action
---------------------------------------------------------------
enable 1 program runs normally
disable or 1 program runs normally
chatr is not run
---------------------------------------------------------------
enable 0 program runs normally
disable or 0 program is killed
chatr is not run
---------------------------------------------------------------
enable 2 program runs normally
disable or 2 program runs normally
chatr is not run with warning displayed
RETURN VALUE
returns zero on success. If the command line contents is syntactically incorrect, or one or more of the specified files cannot be acted
upon, returns information about the files whose attributes could not be modified. If no files are specified, returns decimal 255.
Illegal options
If you use an illegal option, returns the number of non-option words present after the first illegal option. The following example returns
4:
Invalid arguments
If you use an invalid argument with a valid option and you do not specify a file name, returns 0, as in this example:
If you specify a file name (regardless of whether or not the file exists), returns the number of files specified. The following example
returns 3:
Invalid files
If the command cannot act on any of the files given, it returns the total number of files specified (if some option is specified). Other-
wise it returns the number of files upon which it could not act. If does not have read/write permission, the first of the following exam-
ples returns 4 and the second returns 1:
EXTERNAL INFLUENCES
Environment Variables
The following internationalization variables affect the execution of
Determines the locale category for native language, local customs and
coded character set in the absence of and other environment variables. If is not specified or is set to the empty
string, a default of (see lang(5)) is used instead of
Determines the values for all locale categories and has precedence over
and other environment variables.
Determines the locale category for character handling functions.
Determines the locale that should be used to affect the format
and contents of diagnostic messages written to standard error.
Determines the locale category for numeric formatting.
Determines the location of message catalogues for the processing
of
If any internationalization variable contains an invalid setting, behaves as if all internationalization variables are set to See envi-
ron(5).
In addition, the following environment variable affects
Specifies a directory
for temporary files (see tmpnam(3S)).
EXAMPLES
Change to demand-loaded
Change binding mode of program file that uses shared libraries to immediate and nonfatal. Also enable usage of environment variable:
Disallow run-time path lookup for the shared library that the shared library depends on:
Given segment index number 5 from a previous run of change the page size to 4 kilobytes:
To set the modify bit of a specific segment, first find the index or address number of the segment.
chatr a.out
a.out:
32-bit ELF executable
shared library dynamic path search:
LD_LIBRARY_PATH enabled first
SHLIB_PATH enabled second
embedded path enabled third /CLO/TAHOE_BE/usr/lib/hpux32
shared library list:
libsin.so
libc.so.1
shared library binding:
deferred
global hash table enabled
global hash table size 100
shared library mapped private disabled
shared vtable support disabled
segments:
index type address flags size
5 text 04000000 ----c D (default)
6 data 40000000 ---m- L (largest possible)
executable from stack: D (default)
kernel assisted branch prediction enabled
lazy swap allocation for dynamic segments disabled
For Format 2, for a text segment, use the following:
or
For Format 1, use the following:
WARNINGS
This release of the command no longer supports the following options:
o
o
o
o
o
o
o
o
AUTHOR
was developed by HP.
SEE ALSO
System Tools
ld(1) invoke the link editor
dld.so(5) dynamic loader
Miscellaneous
a.out(4) assembler, compiler, and linker output
magic(4) magic number for HP-UX implementations
sam(1M) system administration manager
executable_stack(5) controls whether program stacks are executable by default
Texts and Tutorials
(See the option)
(See manuals(5) for ordering information)
Integrity Systems Only chatr_ia(1)
