chatr_ia(1)

NAME

chatr_ia: chatr — change program's internal attributes on Integrity systems

SYNOPSIS

Format 1: for files with a single text segment and a single data segment

chatr [-s] [-z|Z] [-l library] [-B mode] [+as mode] [+b flag] [+cd flag] [+ci flag] [+dbg flag] [+es flag] [+gst flag] [+gstsize size] [+id flag] [+k flag] [+l library] [+md flag] [+mergeseg flag] [+mi flag] [+o flag] [+pd size] [+pi size] [+s flag] [+z flag] [+I flag] file ...

Format 2: for explicit specification of segments

chatr {+sa address | +sall | +si index} [-s] [-B mode] [+c flag] [+dz flag] [+k flag] [+m flag] [+mergeseg flag] [+p size] [+r flag] [+s flag] [+z flag] [+I flag] file ...

Remarks

This manpage describes chatr on Integrity systems. For chatr on PA-RISC systems, see chatr_pa(1).

DESCRIPTION

chatr allows you to change a program's internal attributes for 32-bit and 64-bit ELF files.

There are two syntactic forms that can be used to invoke chatr.

Format 1 allows easy manipulation of ordinary files that have only a single text segment and a single data segment.
Format 2 allows explicit specification of the segments to be modified.

Upon completion, chatr prints the file's old and new values to standard output unless -s is specified.

The +pd and +pi options only provide a hint for the virtual memory page size. The actual page sizes may vary. Under certain conditions, page size hints of L may result in better performance, depending on the specific memory requirements of the application.

The performance of some applications may benefit from static branch prediction, others may not. The +r option provides a hint for using or avoiding this feature.

The +gst and related options provide performance enhancements through use of global symbol table which improves searching for exported symbols. See dld.so(5) and the HP-UX Linker and Libraries Online User Guide for more information.

To use Format 2, first specify the segment you want to modify by address (with the +sa option) or index (with the +si option), or specify all segments (with the +sall option). Then use the +c, +m, +r, +s, or +z options to modify the segment attributes. You can include more than one segment on the command line as long as you specify each segment with an +sa address or +si index option, followed by the modifying options.

Options

-l library

Indicate that the specified shared library is subject to run-time path lookup if directory path lists are provided (see +s and +b).

-s

Perform its operation silently.

-z

Enable null pointer dereference trap. Run-time dereference of null pointers will produce a SIGSEGV signal. (This is the complement of the -Z option.)

-B mode

Select run-time binding behavior mode of a program using shared libraries. You must specify one of the binding modes immediate or deferred. See the HP-UX Linker and Libraries User's Guide for a description of binding modes.

-Z

Disable null pointer dereference trap. (This is the complement of the -z option.)

+as mode

Control the address space model to be used by the kernel. Possible values for mode are default, share_magic, exec_magic, shmem_magic, and mpas. The default value is currently equivalent to share_magic. In order to set the mode to any value other than the default, the binary should have been built with the -N compiler option to ensure that the text and data segments are contiguous.

+b flag

Control whether the embedded path list stored when the program (if any) was built can be used to locate shared libraries needed by the program. The two flag values, enable and disable, respectively enable and disable use of the embedded path list. However, you cannot use disable on an ELF file, and a warning message is issued. See the +s option. You can use the +b option to enable the embedded path for filter libraries.

+c flag

(Format 2 only.) Enable or disable the code bit for a specified segment. If this is enabled, it is denoted by the c flag for the segment listing in the chatr output.

+cd flag

Enable or disable the code bit for the file's data segment(s). If this is enabled, it is denoted by the c flag for the segment listing in the chatr output.

+ci flag

Enable or disable the code bit for the file's text segments(s). If this is enabled, it is denoted by the c flag for the segment listing in the chatr output.

+dbg flag

Enable or disable the ability to run a program, and, after it is running, attach to it with a debugger and set breakpoints in its dependent shared libraries. When enabled, this allows for mapping the text segments of shared libraries in a private, writable region. Also, you can use this feature on individual shared libraries, which makes the text segment mapped private. If _HP_DLDOPTS contains the string "-text_private ", all shared libraries are mapped private. You can also specify a colon-separated list of shared library base names with this option, following an equal (=) character; for example:

_HP_DLDOPTS="-text_private=libdebug.sl:libdld.2"

+dz flag

(Format 2 only.) Enable or disable lazy swap allocation for dynamically allocated segments (such as the stack or heap).

+es flag

Control the ability of user code to execute from stack with the flag values, enable and disable. See the Restricting Execute Permission on Stacks section below for additional information related to security issues.

+gst flag

Control whether the global symbol table hash mechanism is used to look up values of symbol import/export entries. The two flag values, enable and disable, respectively enable and disable use of the global symbol table hash mechanism. The default is disable.

+gstsize size

Request a particular hash array size using the global symbol table hash mechanism. The value can vary between 1 and MAXINT. The default value is 1103. Use this option with +gst enable. This option works on files liked with the +gst option.

+id flag

Controls the preference of physical memory for the data segment. This is only important on ccNUMA (Cache Coherent Non-Uniform Memory Architecture) systems. The flag value may be either enable or disable. When enabled, the data segment will use interleaved memory. When disabled (the default), the data segment will use cell local memory. This behavior will be inherited across a fork(), but not an exec().

For more information regarding ccNUMA, see pstat_getlocality(2).

+k flag

Request kernel assisted branch prediction. The flags enable and disable turn this request on and off, respectively.

+l library

Indicate that the specified shared library is not subject to run-time path lookup if directory path lists are provided (see +s and +b).

+m flag

(Format 2 only.) Enable or disable the modification bit for a specified segment. If this is enabled, it is denoted by the m flag for the segment listing in the chatr output.

+md flag

Enable or disable the modification bit for the file's data segment(s). If this is enabled, it is denoted by the m flag for the segment listing in the chatr output.

+mergeseg flag

Enable or disable the shared library segment merging features. When enabled, all data segments of shared libraries loaded at program startup are merged into a single block. Data segments for each dynamically loaded library will also be merged with the data segments of its dependent libraries. Merging of these segments increases run-time performance by allowing the kernel to use larger size page table entries.

+mi flag

Enable or disable the modification bit for the file's text segment(s). If this is enabled, it is denoted by the m flag for the segment listing in the chatr output.

+o flag

Enable or disable the DF_ORIGIN flag to control use of $ORIGIN in calculating the absolute path of the working directory. Enabling the flag instructs the dynamic loader to calculate the absolute path of the current working directory when the parent module (object module, shared library, or executable) is first loaded. The loader then uses this path for all occurrences of $ORIGIN. The loader then uses this path for all occurrences of $ORIGIN in the dependent libraries.

If there are no occurrences of $ORIGIN, you should disable the DF_ORIGIN flag, to avoid calculating the absolute path. By default, if $ORIGIN is not present, the DF_ORIGIN flag is disabled.

+p size

(Format 2 only.) Set the page size for a specified segment.

+pd size

Request a particular virtual memory page size that should be used for data. Sizes of 4K, 16K, 64K, 256K, 1M, 4M, 16M, 64M, 256M, 1G, 4G, D, and L are supported. A size of D results in using the default page size. A size of L results in using the largest page size available. The actual page size may vary if the requested size cannot be fulfilled.

+pi size

Request a particular virtual memory page size that should be used for text (instructions). See the +pd option for additional information.

+r flag

Request static branch prediction when executing this program. The flags enable and disable turn this request on and off, respectively. If this is enabled, it is denoted by the r flag for the segment listing in the chatr output.

+s flag

Control whether the directory path list specified with the LD_LIBRARY_PATH and SHLIB_PATH environment variable can be used to locate shared libraries needed by the program. The two flag values, enable and disable, respectively enable and disable use of the environment variable. If both +s and +b are used, their relative order on the command line indicates which path list will be searched first. See the +b option.

+sa address

(Format 2 only.) Specify a segment using an address for a set of attribute modifications.

+sall

(Format 2 only.) Use all segments in the file for a set of attribute modifications.

+si index

(Format 2 only.) Specify a segment using a segment index number for a set of attribute modifications.

+z flag

Enable or disable lazy swap on all data segments (using FORMAT 1) or on a specific segment (using 2). The flags enable and disable turn this request on or off respectively. May not be used with non-data segments.

+I flag

Enable or disable dynamic instrumentation by /opt/langtools/bin/caliper. If enabled, the dynamic loader (see dld.so(5)) will automatically invoke caliper upon program execution to collect profile information.

Restricting Execute Permission on Stacks

A frequent or common method of breaking into systems is by maliciously overflowing buffers on a program's stack, such as passing unusually long, carefully chosen command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.

One simple yet highly effective way to reduce the risk from this type of attack is to remove the execute permission from a program's stack pages. This improves system security without sacrificing performance and has no negative effects on the vast majority of legitimate applications. The changes described in this section only affect the very small number of programs that try to execute (or are tricked into executing) instructions located on the program's stack(s).

If the stack protection feature described in this section is enabled for a program and that program attempts to execute code from its stack(s), the HP-UX kernel will terminate the program with a SIGKILL signal, display a message referring to this manual page section, and log an error message to the system message log (use dmesg to view the error message). The message logged by the kernel is:

WARNING: UID # may have attempted a buffer overflow attack. PID # (program_name) has been terminated. See the '+es enable' option of chatr(1).

If you see one of these messages, check with the program's owner to determine whether this program is legitimately executing code from its stack. If it is, you can use one or both of the methods described below to make the program functional again. If the program is not legitimately executing code from its stack, you should suspect malicious activity and take appropriate action.

HP-UX provides two options to permit legitimate execution from a program's stack(s). Combinations of these two options help make site-specific tradeoffs between security and compatibility.

The first method is the use of the +es option of chatr and affects individual programs. It is typically used to specify that a particular binary must be able to execute from its stack, regardless of the system default setting. This allows a restrictive system default while not preventing legitimate programs from executing code on their stack(s). Ideally this option should be set (if needed) by the program's provider, to minimize the need for manual intervention by whomever installs the program.

An alternate method is setting the kernel tunable parameter, executable_stack, to set a system-wide default for whether stacks are executable. Setting the executable_stack parameter to 1 (one) with sam (see sam(1M)) tells the HP-UX kernel to allow programs to execute on the program stack(s). Use this setting if compatibility with older releases is more important than security. Setting the executable_stack parameter to 0 (zero), the recommended setting, is appropriate if security is more important than compatibility. This setting significantly improves system security with minimal, if any, negative effects on legitimate applications.

Combinations of these settings may be appropriate for many applications. For example, after setting executable_stack to 0, you may find that one or two critical applications no longer work because they have a legitimate need to execute from their stack(s). Programs such as simulators or interpreters that use self-modifying code are examples you might encounter. To obtain the security benefits of a restrictive system default while still letting these specific applications run correctly, set executable_stack to 0, and run chatr +es enable on the specific binaries that need to execute code from their stack(s). These binaries can be easily identified when they are executed, because they will print error messages referring to this manual page.

The possible settings for executable_stack are as follows:

executable_stack = 0 (default): A setting of 0 (the default value) causes stacks to be non-executable and is strongly preferred from a security perspective.
executable_stack = 1: A setting of 1 causes all program stacks to be executable, and is safest from a compatibility perspective but is the least secure setting for this parameter.
executable_stack = 2: A setting of 2 is equivalent to a setting of 0, except that it gives non-fatal warnings instead of terminating a process that is trying to execute from its stack. Using this setting is helpful for users to gain confidence that using a value of 0 will not hurt their legitimate applications. Again, there is less security protection.

The table below summarizes the results from using the possible combinations of chatr +es and executable_stack when executing from the program's stack. Running chatr +es disable relies solely on the setting of the executable_stack kernel tunable parameter when deciding whether or not to grant execute permission for stacks and is equivalent to not having run chatr +es on the binary.

`chatr +es`	`executable_stack`	`Action`
enable	1	program runs normally
disable or	1	program runs normally
`chatr` is not run
enable	0	program runs normally
disable or	0	program is killed
`chatr` is not run
enable	2	program runs normally
disable or	2	program runs normally
`chatr` is not run		with warning displayed

RETURN VALUE

chatr returns zero on success. If the command line contents is syntactically incorrect, or one or more of the specified files cannot be acted upon, chatr returns information about the files whose attributes could not be modified. If no files are specified, chatr returns decimal 255.

Illegal options

If you use an illegal option, chatr returns the number of non-option words present after the first illegal option. The following example returns 4:

chatr +b enable +xyz enable +mno enable +pqr enable file 

Invalid arguments

If you use an invalid argument with a valid option and you do not specify a file name, chatr returns 0, as in this example:

chatr +b <no argument>

If you specify a file name (regardless of whether or not the file exists), chatr returns the number of files specified. The following example returns 3:

chatr <no argument> file1 file2 file3

Invalid files

If the command cannot act on any of the files given, it returns the total number of files specified (if some option is specified). Otherwise it returns the number of files upon which it could not act. If a2 does not have read/write permission, the first of the following examples returns 4 and the second returns 1:

chatr +b enable a1 a2 a3 a4 
chatr a1 a2 a3 a4 

EXTERNAL INFLUENCES

Environment Variables

The following internationalization variables affect the execution of chatr:

LANG: Determines the locale category for native language, local customs and coded character set in the absence of LC_ALL and other LC_* environment variables. If LANG is not specified or is set to the empty string, a default of C (see lang(5)) is used instead of LANG.
LC_ALL: Determines the values for all locale categories and has precedence over LANG and other LC_* environment variables.
LC_CTYPE: Determines the locale category for character handling functions.
LC_MESSAGES: Determines the locale that should be used to affect the format and contents of diagnostic messages written to standard error.
LC_NUMERIC: Determines the locale category for numeric formatting.
NLSPATH: Determines the location of message catalogues for the processing of LC_MESSAGES.

If any internationalization variable contains an invalid setting, chatr behaves as if all internationalization variables are set to C. See environ(5).

In addition, the following environment variable affects chatr:

TMPDIR: Specifies a directory for temporary files (see tmpnam(3S)).

EXAMPLES

Change a.out to demand-loaded

chatr -q a.out 

Change binding mode of program file that uses shared libraries to immediate and nonfatal. Also enable usage of SHLIB_PATH environment variable:

chatr -B immediate -B nonfatal +s enable a.out 

Disallow run-time path lookup for the shared library /usr/lib/libc.sl that the shared library libfoo.sl depends on:

chatr +l /usr/lib/libc.sl libfoo.sl 

Given segment index number 5 from a previous run of chatr, change the page size to 4 kilobytes:

chatr +si 5 +p 4K average64 

To set the modify bit of a specific segment, first find the index or address number of the segment.

chatr a.out

a.out:
   32-bit ELF executable
   shared library dynamic path search:
       LD_LIBRARY_PATH    enabled  first
       SHLIB_PATH         enabled  second
       embedded path      enabled  third  /CLO/TAHOE_BE/usr/lib/hpux32
   shared library list:
       libsin.so
       libc.so.1
   shared library binding:
       deferred
   global hash table enabled
   global hash table size 100
   shared library mapped private disabled
   shared vtable support disabled
   segments:
       index type     address      flags size
           5 text     04000000     ----c    D (default)
           6 data     40000000     ---m-    L (largest possible)
   executable from stack: D (default)
   kernel assisted branch prediction enabled
   lazy swap allocation for dynamic segments disabled

For Format 2, for a text segment, use the following:

chatr +si 5 +m enable a.out 

chatr +sa 04000000 +m enable a.out 

For Format 1, use the following:

chatr +mi enable a.out 

WARNINGS

This release of the chatr command no longer supports the following options:

-n
-q
-M
-N
+getbuckets size
+plabel_cache flag
+q3p flag
+q4p flag

AUTHOR

chatr was developed by HP.