chatr_pa(1)

NAME

chatr_pa: chatr — change program's internal attributes on PA-RISC systems

SYNOPSIS

PA-RISC 32-bit SOM chatr

chatr [-nqsMN [z|Z]] [-l library] [-B mode] [+b flag] [+dbg flag] [+es flag] [+mergeseg flag] [+gst flag] [+gstbuckets size] [+gstsize size] [+k flag] [+l library] [+pd size] [+pi size] [+plabel_cache flag] [+q3p flag] [+q4p flag] [+r flag] [+s flag] [+z flag] file ...

PA-RISC 64-bit ELF chatr

There are two possible syntactic forms that can be used to invoke PA-RISC 64-bit chatr.

FORMAT 1: The first syntactic form, which is compatible with the SOM chatr, is used for backward compatibility, and for easy manipulation of ordinary files that only have a single text and a single data segment:

chatr [-nqszZ] [-l library] [-B mode] [+b flag] [+cd flag] [+ci flag] [+es flag] [+gst flag] [+gstsize size] [+k flag] [+l library] [+md flag] [+mi flag] [+pd size] [+pi size] [+s flag] [+z flag] file ...

FORMAT 2: The second syntactic form provides the ability to explicitly specify segments to be modified:

chatr [-s] [-B mode] [+c flag] [+dz flag] [+k flag] [+m flag] [+p size] [+r flag] [+s flag] [+si index | +sa address | +sall ] [+z flag] file ...

Remarks

This manpage describes chatr on PA-RISC systems. For chatr on Integrity systems, see chatr_ia(1).

DESCRIPTION

chatr allows you to change a program's internal attributes for 32-bit mode SOM and 64-bit mode ELF files.

Upon completion, chatr prints the file's old and new values to standard output unless -s is specified.

The +pd and +pi options only provide a hint for the virtual memory page size. The actual page sizes may vary. Under certain conditions, page size hints of L may result in better performance, depending on the specific memory requirements of the application.

The performance of some applications may benefit from static branch prediction, others may not. The +r option provides a hint for using or avoiding this feature.

The +gst and related options provide performance enhancements through use of global symbol table which improves searching for exported symbols. See dld.sl(5) and the HP-UX Linker and Libraries Online User Guide for more information.

Common Options For PA-RISC 32-bit SOM And PA-RISC 64-bit ELF (FORMAT 1) chatr

chatr, by default, prints each file's magic number and file attributes to the standard output.

-l library

Indicate that the specified shared library is subject to run-time path lookup if directory path lists are provided (see +s and +b).

-n

Change file from demand-loaded (DEMAND_MAGIC) to shared (SHARE_MAGIC) (Ignored in PA-RISC 64-bit FORMAT 1.)

-q

Change file from shared (SHARE_MAGIC) to demand-loaded (DEMAND_MAGIC). (Ignored in PA-RISC 64-bit FORMAT 1.)

-s

Perform its operation silently. (Available with the PA-RISC 64-bit FORMAT 2 command.)

-B mode

Select run-time binding behavior mode of a program using shared libraries. You must specify one of the major binding modes immediate or deferred. One or more of the binding modifiers nonfatal, verbose, or restricted can also be specified, each with a separate option. See the HP-UX Linker and Libraries User's Guide manual for a description of binding modes. (Available with the PA-RISC 64-bit FORMAT 2 command.)

+b flag

Control whether the embedded path list stored when the program (if any) was built can be used to locate shared libraries needed by the program. The two flag values, enable and disable, respectively enable and disable use of the embedded path list. However, you cannot use disable on an ELF (PA-RISC 64-bit) file and a warning message is issued. See the +s option. You can use the +b option to enable the embedded path for filter libraries.

+dbg flag

Controls the mapping of shared library text segments privately. The flag values, enable and disable, toggle the request on and off. When enabled, this allows for mapping the text segments of shared libraries in a private, writable region. Also, you can use this feature on individual shared libraries, which makes the text segment mapped private. If _HP_DLDOPTS contains the string "-text_private ", all shared libraries are mapped private. You can specify a colon-separated list of shared library base names with this option, following an equal (=) character; for example:

_HP_DLDOPTS="-text_private=libdebug.sl:libdld.2"

When used with +mergeseg enable, this allows text segments of shared libraries to be merged.

+es flag

Control the ability of user code to execute from stack with the flag values, enable and disable. See the Restricting Execute Permission on Stacks section below for additional information related to security issues.

+gst flag

Control whether the global symbol table hash mechanism is used to look up values of symbol import/export entries. The two flag values, enable and disable, respectively enable and disable use of the global symbol table hash mechanism. The default is disable.

+gstsize size

Request a particular hash array size using the global symbol table hash mechanism. The value can vary between 1 and MAXINT. The default value is 1103. Use this option with +gst enable.

+k flag

Request kernel assisted branch prediction. The flags enable and disable turn this request on and off, respectively. (Available with the PA-RISC 64-bit FORMAT 2 command.)

+l library

Indicate that the specified shared library is not subject to run-time path lookup if directory path lists are provided (see +s and +b).

+mergeseg flag

Controls the shared library segment merging feature. The flag values, enable and disable, toggle this request ON and OFF. See the description of shared library segment merging in the HP-UX Linker and Libraries User's Guide. When enabled, all the data segments of the shared libraries loaded at program startup are merged. This increases run-time performance by allowing the kernel to use larger size page table entries.

+pd size

Request a particular virtual memory page size that should be used for data. Sizes of 4K, 16K, 64K, 256K, 1M, 4M, 16M, 64M, 256M, and L are supported. A size of L will result in using the largest page size available. The actual page size may vary if the requested size cannot be fulfilled.

+pi size

Request a particular virtual memory page size that should be used for instructions. See the +pd option for additional information.

+r flag

Request static branch prediction when executing this program. The flags enable and disable turn this request on and off, respectively. (Available with the PA-RISC 64-bit FORMAT 2 command.)

+s flag

Control whether the directory path list specified with the SHLIB_PATH environment variable can be used to locate shared libraries needed by the program. The two flag values, enable and disable, respectively enable and disable use of the environment variable. If both +s and +b are used, their relative order on the command line indicates which path list will be searched first. See the +b option. (Available with the PA-RISC 64-bit FORMAT 2 command.)

+z

Enable lazy swap on all data segments (using PA-RISC 32-bit chatr or PA-RISC 64-bit chatr FORMAT 1) or on a specific segment (using PA-RISC 64-bit ELF chatr FORMAT 2). May not be used with non-data segments.

-z

Enable null pointer dereference trap. Run-time dereference of null pointers will produce a SIGSEGV signal. (This is the complement of the -Z option.)

-Z

Disable null pointer dereference trap. (This is the complement of the -z option.)

Options For PA-RISC 32-bit SOM chatr Only

.TP

-M Change file from EXEC_MAGIC to SHMEM_MAGIC. (This option is an interim solution until 64-bit addressability is available with a true 64-bit kernel. See chatr and Magic Numbers and Using SHMEM_MAGIC below.)

-N

Change file from SHMEM_MAGIC to EXEC_MAGIC. (This option is an interim solution until 64-bit addressability is available with a true 64-bit kernel. See chatr and Magic Numbers below.)

+gstbuckets size

Request a particular number of buckets per entry using the global symbol table hash mechanism. The value can vary between 1 and MAXINT. The default value is 3. Use this option with +gst enable.

+plabel_cache flag

Control the use of the plabel caching mechanism. The flags enable and disable turn this request on and off, respectively. The default is disable. Use this option with +gst enable.

This option is effective with C++. In C++ applications, the dynamic loader needs to repetitively access PLABEL information (import stub). In order to make this access faster, the dynamic loader uses the global symbol table structure to also contain PLABEL entries. This behavior is enabled when the PLABEL_CACHE flag is set in the dl_header structure (enabled ld +plabel_cache enable a.out or chatr +plabel_cache enable a.out).

+q3p flag

Control the flag bit setting to indicate how 32-bit processes use the third quadrant as data space.

The enable flag sets the flag bit to indicate that 32-bit processes use the third quadrant as a private data space. By setting the bit, the private data space increases from 1.9GB to 2.85GB for 32-bit processes.

The disable flag unsets the bit, which returns the third quadrant to the default state, in which it is used for shared memory.

This flag mechanism differs from how to set usage for the first and second quadrants. Set these values by using the magic number of the executable. (See the -M and -N options.)

+q4p flag

Control the flag bit setting to indicate how 32-bit processes use the third and fourth quadrant as data space.

The enable flag sets the flag bit to indicate that 32-bit processes use the fourth quadrant as a private data space. By setting the +q4p flag bit, the private data space increases from 1.9GB to 3.8GB for 32-bit processes. When you set the fourth quadrant for private data space, the third quadrant is automatically set for use as private data space, ignoring the current +q3p value.

The disable flag unsets the flag bit, which returns the fourth quadrant to the default state, in which it is used for shared memory. With +q4p disable, the value of the +q3p flag controls whether the third quadrant is used as a private data space or for shared memory.

This flag mechanism differs from how to set usage for the first and second quadrants. Set these values by using the magic number of the executable. (See the -M and -N options.)

Options For PA-RISC 64-bit ELF chatr

PA-RISC 64-bit ELF chatr is similar to SOM chatr but supports new options (and obsoletes others).

New options:

OPTIONS FOR PA-RISC 64-bit ELF chatr (FORMAT 1)

+cd: Set the code bit for the file's data segment(s).
+ci: Set the code bit for the file's text segments(s).
+md: Set the modification bit for the file's data segment(s).
+mi: Set the modification bit for the file's text segment(s).

OPTIONS FOR PA-RISC 64-bit ELF chatr (FORMAT 2)

With common options: -s, -B mode, +k flag, +r flag, +s flag, +z flag.

+c: Set the code bit for a specified segment.
+dz: Enable or disable lazy swap allocation for dynamically allocated segments (such as the stack or heap).
+m: Set the modification bit for a specified segment.
+p: Set the page size for a specified segment.
+sa: Specify a segment using an address for a set of attribute modifications.
+sall: Use all segments in the file for a set of attribute modifications.
+si: Specify a segment using a segment index number for a set of attribute modifications.

chatr and MAGIC Numbers

The term shared applies to the magic number SHARE_MAGIC while the term demand-loaded applies to the magic number DEMAND_MAGIC. See magic(4) and the HP-UX Linker and Libraries Online User Guide for more information.

chatr labels the following type of executables in output.

SHARE_MAGIC:: shared executable
DEMAND_MAGIC:: demand load executable
EXEC_MAGIC:: normal executable
SHMEM_MAGIC:: normal SHMEM_MAGIC executable

The linker produces SHARE_MAGIC executables by default.

Using SHMEM_MAGIC

SHMEM_MAGIC is an interim solution until 64-bit addressability is available with a true 64-bit kernel.

SHMEM_MAGIC will not be supported on future HP implementations of 64-bit architectures (beyond PA-RISC 2.0). Programs that need larger than 1.75 GB of shared memory on those architectures will have to be recompiled (as 64-bit executables) for those architectures.

Programs that are compiled as 64-bit executables on any 64-bit HP implementation (including PA-RISC 2.0) cannot be marked as SHMEM_MAGIC nor do they need to be as they will already have access to more than 1.75 GB of shared memory.

The additional 1 GB of shared memory that is available over other types of executables can be availed of only for system V shared memory and not other forms of shared memory (like memory mapped files).

Restricting Execute Permission on Stacks

A frequent or common method of breaking into systems is by maliciously overflowing buffers on a program's stack, such as passing unusually long, carefully chosen command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.

One simple yet highly effective way to reduce the risk from this type of attack is to remove the execute permission from a program's stack pages. This improves system security without sacrificing performance and has no negative effects on the vast majority of legitimate applications. The changes described in this section only affect the very small number of programs that try to execute (or are tricked into executing) instructions located on the program's stack(s).

If the stack protection feature described in this section is enabled for a program and that program attempts to execute code from its stack(s), the HP-UX kernel will terminate the program with a SIGKILL signal, display a message referring to this manual page section, and log an error message to the system message log (use dmesg to view the error message). The message logged by the kernel is:

WARNING: UID # may have attempted a buffer overflow attack. PID # (program_name) has been terminated. See the '+es enable' option of chatr(1).

If you see one of these messages, check with the program's owner to determine whether this program is legitimately executing code from its stack. If it is, you can use one or both of the methods described below to make the program functional again. If the program is not legitimately executing code from its stack, you should suspect malicious activity and take appropriate action.

HP-UX provides two options to permit legitimate execution from a program's stack(s). Combinations of these two options help make site-specific tradeoffs between security and compatibility.

The first method is the use of the +es option of chatr and affects individual programs. It is typically used to specify that a particular binary must be able to execute from its stack, regardless of the system default setting. This allows a restrictive system default while not preventing legitimate programs from executing code on their stack(s). Ideally this option should be set (if needed) by the program's provider, to minimize the need for manual intervention by whomever installs the program.

An alternate method is setting the kernel tunable parameter, executable_stack, to set a system-wide default for whether stacks are executable. Setting the executable_stack parameter to 1 (one) with sam (see sam(1M)) tells the HP-UX kernel not to execute protect program stack(s). This is the preferred setting if compatibility with older releases is more important than security. Setting it to a 0 (zero) is appropriate if security is more important than compatibility. This is the recommended setting, because it significantly improves system security with minimal, if any, negative effects on legitimate applications.

Combinations of these settings may be appropriate for many applications. For example, after setting executable_stack to 0, you may find that one or two critical applications no longer work because they have a legitimate need to execute from their stack(s). Programs such as simulators or interpreters that use self-modifying code are examples you might encounter. To obtain the security benefits of a restrictive system default while still letting these specific applications run correctly, set executable_stack to 0, and run chatr +es enable on the specific binaries that need to execute code from their stack(s). These binaries can be easily identified when they are executed, because they will print error messages referring to this manual page.

The possible settings for executable_stack are as follows:

executable_stack = 0 (default): A setting of 0 (the default value) causes stacks to be non-executable and is strongly preferred from a security perspective.
executable_stack = 1: A setting of 1 causes all program stacks to be executable, and is safest from a compatibility perspective but is the least secure setting for this parameter.
executable_stack = 2: A setting of 2 is equivalent to a setting of 0, except that it gives non-fatal warnings instead of terminating a process that is trying to execute from its stack. Using this setting is helpful for users to gain confidence that using a value of 0 will not hurt their legitimate applications. Again, there is less security protection.

The table below summarizes the results from using the possible combinations of chatr +es and executable_stack when executing from the program's stack. Running chatr +es disable relies solely on the setting of the executable_stack kernel tunable parameter when deciding whether or not to grant execute permission for stacks and is equivalent to not having run chatr +es on the binary.

chatr +es	executable_stack	ACTION
enable	1	program runs normally
disable or chatr is not run	1	program runs normally
enable	0	program runs normally
disable or chatr is not run	0	program is killed
enable	2	program runs normally
disable or chatr is not run	2	program runs normally
		with warning displayed

RETURN VALUE

chatr returns zero on success. If the command line contents is syntactically incorrect, or one or more of the specified files cannot be acted upon, chatr returns information about the files whose attributes could not be modified. If no files are specified, chatr returns decimal 255.

Illegal options

For PA-RISC 32-bit chatr, if you use an illegal option, chatr returns the number of words in the command line. For example,

chatr +b enable +xyz enable returns 5 (because of illegal option +xyz).
chatr +b enable +xyz enable +mno file1 file2 returns 8.

For PA-RISC 64-bit chatr, if you use an illegal option, chatr returns the number of non-option words present after the first illegal option.

chatr +b enable +xyz enable +mno enable +pqr enable file returns 4.

Invalid arguments

If you use an invalid argument with a valid option and you do not specify a file name, both PA-RISC 32-bit and 64-bit chatr return 0.

chatr +b <no argument> returns 0.

For PA-RISC 32-bit chatr, if you specify a file name (regardless of whether or not the file exists), chatr returns number of words in the command line.

chatr +b <no argument> file returns 4.

For PA-RISC 64-bit chatr, if you specify a file name (regardless of whether or not the file exists), chatr returns the number of files specified.

chatr +b <no argument> file1 file2 file3 returns 3.

Invalid files

For both PA-RISC 32-bit and 64-bit chatr, if the command cannot act on any of the files given, it returns the total number of files specified (if some option is specified). Otherwise it returns the number of files upon which it could not act.

chatr +b enable a1 a2 a3 a4 (where a2 does not have read/write permission) returns 4.
chatr a1 a2 a3 a4 returns 1.

EXTERNAL INFLUENCES

Environment Variables

The following internationalization variables affect the execution of chatr:

LANG: Determines the locale category for native language, local customs and coded character set in the absence of LC_ALL and other LC_* environment variables. If LANG is not specified or is set to the empty string, a default of C (see lang(5)) is used instead of LANG.
LC_ALL: Determines the values for all locale categories and has precedence over LANG and other LC_* environment variables.
LC_CTYPE: Determines the locale category for character handling functions.
LC_MESSAGES: Determines the locale that should be used to affect the format and contents of diagnostic messages written to standard error.
LC_NUMERIC: Determines the locale category for numeric formatting.
NLSPATH: Determines the location of message catalogues for the processing of LC_MESSAGES.

If any internationalization variable contains an invalid setting, chatr behaves as if all internationalization variables are set to C. See environ(5).

In addition, the following environment variable affects chatr:

TMPDIR: Specifies a directory for temporary files (see tmpnam(3S)).

EXAMPLES

Change a.out to demand-loaded

chatr -q a.out 

Change binding mode of program file that uses shared libraries to immediate and nonfatal. Also enable usage of SHLIB_PATH environment variable:

chatr -B immediate -B nonfatal +s enable a.out 

Disallow run-time path lookup for the shared library /usr/lib/libc.sl that the shared library libfoo.sl depends on:

chatr +l /usr/lib/libc.sl libfoo.sl 

Given segment index number 5 from a previous run of chatr, change the page size to 4 kilobytes:

chatr +si 5 +p 4K average64 

AUTHOR

chatr was developed by HP.