Controlling stack execution protection
To prevent stack-overflow exploits, the stack of a binary or shared library must be marked as not executable.
About this task
Use the execstack command to set, clear, or query the executable stack flag of ELF binaries and shared libraries (GNU_STACK). The execstack command is available from the prelink package. For details about execstack, see the man page.
Example
- Set and query the executable stack
flag.
# execstack -s /usr/bin/find # execstack -q /usr/bin/find X /usr/bin/find
The leading
X
at the beginning of the query output line indicates that the stack is executable.Hint: You can also use the readelf command to confirm that the stack can be executed.# readelf -a /usr/bin/find | grep GNU_STACK -A 1 GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RWE 8
The
RWE
towards the end of the output line means read/write/execute. You can obtain the readelf command as part of thebinutils
package. For command details, see the man page. - Clear and query the executable stack
flag.
# execstack -c /usr/bin/find # execstack -q /usr/bin/find - /usr/bin/find
The leading
-
at the beginning of the query output line indicates that the stack is not executable.Hint: You can also use the readelf command to confirm that the stack cannot be executed.# readelf -a /usr/bin/find | grep GNU_STACK -A 1 GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000 RW 8
The
RW
towards the end of the output line means read/write, but not execute.