chatr_ia(1)chatr_ia(1)NAME
chatr_ia: chatr - change program's internal attributes on Integrity
systems
SYNOPSIS
Format 1: for files with a single text segment and a single data segment
library] mode] mode] flag]
flag] flag] flag] flag] flag] flag] size] flag] flag] library]
flag] flag] flag] flag] flag] size] size] flag] flag] flag]
flag] file ...
Format 2: for explicit specification of segments
address | index} mode] flag]
flag] flag] flag] flag] size] flag] flag] flag] flag] file ...
Remarks
This manpage describes on Integrity systems. For on PA-RISC systems,
see chatr_pa(1).
DESCRIPTION
allows you to change a program's internal attributes for 32-bit and
64-bit ELF files.
There are two syntactic forms that can be used to invoke
· allows easy manipulation of ordinary files that have only a single
text segment and a single data segment.
· allows explicit specification of the segments to be modified.
Upon completion, prints the file's old and new values to standard out‐
put unless is specified.
The and options only provide a hint for the virtual memory page size.
The actual page sizes may vary. Under certain conditions, page size
hints of may result in better performance, depending on the specific
memory requirements of the application.
The performance of some applications may benefit from static branch
prediction, others may not. The option provides a hint for using or
avoiding this feature.
The and related options provide performance enhancements through use of
global symbol table which improves searching for exported symbols. See
dld.so(5) and the for more information.
To use Format 2, first specify the segment you want to modify by
address (with the option) or index (with the option), or specify all
segments (with the option). Then use the or options to modify the seg‐
ment attributes. You can include more than one segment on the command
line as long as you specify each segment with an or option, followed by
the modifying options.
Options
Indicate that the specified shared library
is subject to run-time path lookup if directory path
lists are provided (see and
Perform its operation silently.
Enable null pointer dereference trap.
Run-time dereference of null pointers will produce a
SIGSEGV signal. (This is the complement of the option.)
Select run-time binding behavior mode of a program
using shared libraries. You must specify one of the
binding modes or See the for a description of binding
modes.
Disable null pointer dereference trap.
(This is the complement of the option.)
Control the address space model to be used by the kernel.
Possible values for mode are and The default value is
currently equivalent to In order to set the mode to any
value other than the default, the binary should have
been built with the compiler option to ensure that the
text and data segments are contiguous.
Control whether the embedded path list
stored when the program (if any) was built can be used
to locate shared libraries needed by the program. The
two flag values, and respectively enable and disable use
of the embedded path list. However, you cannot use on
an ELF file, and a warning message is issued. See the
option. You can use the option to enable the embedded
path for filter libraries.
(Format 2 only.) Enable or disable the code bit for a specified seg‐
ment.
If this is enabled, it is denoted by the flag for the
segment listing in the output.
Enable or disable the code bit for the file's data segment(s).
If this is enabled, it is denoted by the flag for the
segment listing in the output.
Enable or disable the code bit for the file's text segments(s).
If this is enabled, it is denoted by the flag for the
segment listing in the output.
Enable or disable the ability to run a program, and, after it is run‐
ning,
attach to it with a debugger and set breakpoints in its
dependent shared libraries. When enabled, this allows
for mapping the text segments of shared libraries in a
private, writable region. Also, you can use this fea‐
ture on individual shared libraries, which makes the
text segment mapped private. If contains the string "",
all shared libraries are mapped private. You can also
specify a colon-separated list of shared library base
names with this option, following an equal character;
for example:
Change the dynamic optimization setting. The flag
value enables dynamic optimizations for a load module
(executable or shared library), if the run-time environ‐
ment supports this feature. The flag value prohibits
dynamic optimizations for a load module. The flag value
restores the default setting, which allows the run-time
environment to enable or disable dynamic optimizations
for a load module.
(Format 2 only.) Enable or disable lazy swap allocation for dynamically
allocated segments (such as the stack or heap).
Control the ability of user code to execute from stack with the
flag values, and See the section below for additional
information related to security issues.
Control whether the global symbol table hash mechanism is
used to look up values of symbol import/export entries.
The two flag values, and respectively enable and disable
use of the global symbol table hash mechanism. The
default is
Request a particular hash array
size using the global symbol table hash mechanism. The
value can vary between 1 and The default value is 1103.
Use this option with This option works on files liked
with the option.
Controls the preference of physical memory for the data segment.
This is only important on ccNUMA (Cache Coherent Non-
Uniform Memory Architecture) systems. The flag value
may be either enable or disable. When enabled, the data
segment will use interleaved memory. When disabled (the
default), the data segment will use cell local memory.
This behavior will be inherited across a but not an
For more information regarding ccNUMA, see pstat_getlo‐
cality(2).
Request kernel assisted branch prediction.
The flags and turn this request on and off, respec‐
tively.
Indicate that the specified shared library
is not subject to run-time path lookup if directory path
lists are provided (see and
(Format 2 only.) Enable or disable the modification bit for a specified
segment.
If this is enabled, it is denoted by the flag for the
segment listing in the output.
Enable or disable the modification bit for the file's data segment(s).
If this is enabled, it is denoted by the flag for the
segment listing in the output.
or the dynamic loader to automatically preload and also
maps shared libraries as private. The library is used
to support heap analysis through GDB.
Enable or disable the shared library segment merging features.
When enabled, all data segments of shared libraries
loaded at program startup are merged into a single
block. Data segments for each dynamically loaded
library will also be merged with the data segments of
its dependent libraries. Merging of these segments
increases run-time performance by allowing the kernel to
use larger size page table entries.
Enable or disable the modification bit for the file's text segment(s).
If this is enabled, it is denoted by the flag for the
segment listing in the output.
Enable or disable the
flag to control use of in calculating the absolute path
of the working directory. Enabling the flag instructs
the dynamic loader to calculate the absolute path of the
current working directory when the parent module (object
module, shared library, or executable) is first loaded.
The loader then uses this path for all occurrences of
The loader then uses this path for all occurrences of in
the dependent libraries.
If there are no occurrences of you should disable the
flag, to avoid calculating the absolute path. By
default, if is not present, the flag is disabled.
(Format 2 only.) Set the page size for a specified segment.
Request a particular virtual memory page size that
should be used for data. Sizes of and are supported. A
size of results in using the default page size. A size
of results in using the largest page size available.
The actual page size may vary if the requested size can‐
not be fulfilled.
Request a particular virtual memory page size that
should be used for text (instructions). See the option
for additional information.
Request static branch prediction when executing this
program. The flags and turn this request on and off,
respectively. If this is enabled, it is denoted by the
flag for the segment listing in the output.
This is an to the option.
Control whether the directory path list specified with the
and environment variable can be used to locate shared
libraries needed by the program. The two flag values,
and respectively enable and disable use of the environ‐
ment variable. If both and are used, their relative
order on the command line indicates which path list will
be searched first. See the option.
(Format 2 only.)
Specify a segment using an address for a set of
attribute modifications.
(Format 2 only.)
Use all segments in the file for a set of attribute mod‐
ifications.
(Format 2 only.)
Specify a segment using a segment index number for a set
of attribute modifications.
Enable or disable lazy swap on all data segments (using FORMAT 1) or on
a
specific segment (using 2). The flags and turn this
request on or off respectively. May not be used with
non-data segments.
Enable or disable dynamic instrumentation by
If enabled, the dynamic loader (see dld.so(5)) will
automatically invoke upon program execution to collect
profile information.
Restricting Execute Permission on Stacks
A frequent or common method of breaking into systems is by maliciously
overflowing buffers on a program's stack, such as passing unusually
long, carefully chosen command line arguments to a privileged program
that does not expect them. Malicious unprivileged users can use this
technique to trick a privileged program into starting a superuser shell
for them, or to perform similar unauthorized actions.
One simple yet highly effective way to reduce the risk from this type
of attack is to remove the execute permission from a program's stack
pages. This improves system security without sacrificing performance
and has no negative effects on the vast majority of legitimate applica‐
tions. The changes described in this section only affect the very
small number of programs that try to execute (or are tricked into exe‐
cuting) instructions located on the program's stack(s).
If the stack protection feature described in this section is enabled
for a program and that program attempts to execute code from its
stack(s), the HP-UX kernel will terminate the program with a signal,
display a message referring to this manual page section, and log an
error message to the system message log (use to view the error mes‐
sage). The message logged by the kernel is:
If you see one of these messages, check with the program's owner to
determine whether this program is legitimately executing code from its
stack. If it is, you can use one or both of the methods described
below to make the program functional again. If the program is not
legitimately executing code from its stack, you should suspect mali‐
cious activity and take appropriate action.
HP-UX provides two options to permit legitimate execution from a pro‐
gram's stack(s). Combinations of these two options help make site-spe‐
cific tradeoffs between security and compatibility.
The first method is the use of the option of and affects individual
programs. It is typically used to specify that a particular binary
must be able to execute from its stack, regardless of the system
default setting. This allows a restrictive system default while not
preventing legitimate programs from executing code on their stack(s).
Ideally this option should be set (if needed) by the program's
provider, to minimize the need for manual intervention by whomever
installs the program.
An alternate method is setting the kernel tunable parameter, to set a
system-wide default for whether stacks are executable. Setting the
parameter to 1 (one) with (see sam(1M)) tells the HP-UX kernel to allow
programs to execute on the program stack(s). Use this setting if com‐
patibility with older releases is more important than security. Set‐
ting the parameter to 0 (zero), the recommended setting, is appropri‐
ate if security is more important than compatibility. This setting
significantly improves system security with minimal, if any, negative
effects on legitimate applications.
Combinations of these settings may be appropriate for many applica‐
tions. For example, after setting to 0, you may find that one or two
critical applications no longer work because they have a legitimate
need to execute from their stack(s). Programs such as simulators or
interpreters that use self-modifying code are examples you might
encounter. To obtain the security benefits of a restrictive system
default while still letting these specific applications run correctly,
set to 0, and run on the specific binaries that need to execute code
from their stack(s). These binaries can be easily identified when they
are executed, because they will print error messages referring to this
manual page.
The possible settings for are as follows:
A setting of 0 (the default value) causes stacks to be non-exe‐
cutable
and is strongly preferred from a security perspective.
A setting of 1
causes all program stacks to be executable, and is safest
from a compatibility perspective but is the least secure
setting for this parameter.
A setting of 2
is equivalent to a setting of 0, except that it gives non-
fatal warnings instead of terminating a process that is
trying to execute from its stack. Using this setting is
helpful for users to gain confidence that using a value of
0 will not hurt their legitimate applications. Again,
there is less security protection.
The table below summarizes the results from using the possible combina‐
tions of and when executing from the program's stack. Running relies
solely on the setting of the kernel tunable parameter when deciding
whether or not to grant execute permission for stacks and is equivalent
to not having run on the binary.
chatr +es executable_stack Action
───────────────────────────────────────────────────────────────
enable 1 program runs normally
disable or 1 program runs normally
chatr is not run
───────────────────────────────────────────────────────────────
enable 0 program runs normally
disable or 0 program is killed
chatr is not run
───────────────────────────────────────────────────────────────
enable 2 program runs normally
disable or 2 program runs normally
chatr is not run with warning displayed
RETURN VALUE
returns zero on success. If the command line contents is syntactically
incorrect, or one or more of the specified files cannot be acted upon,
returns information about the files whose attributes could not be modi‐
fied. If no files are specified, returns decimal 255.
Illegal options
If you use an illegal option, returns the number of non-option words
present after the first illegal option. The following example returns
4:
Invalid arguments
If you use an invalid argument with a valid option and you do not spec‐
ify a file name, returns 0, as in this example:
If you specify a file name (regardless of whether or not the file
exists), returns the number of files specified. The following example
returns 3:
Invalid files
If the command cannot act on any of the files given, it returns the
total number of files specified (if some option is specified). Other‐
wise it returns the number of files upon which it could not act. If
does not have read/write permission, the first of the following exam‐
ples returns 4 and the second returns 1:
EXTERNAL INFLUENCES
Environment Variables
The following internationalization variables affect the execution of
Determines the locale category for native language, local customs and
coded character set in the absence of and other envi‐
ronment variables. If is not specified or is set to
the empty string, a default of (see lang(5)) is used
instead of
Determines the values for all locale categories and has precedence over
and other environment variables.
Determines the locale category for character handling functions.
Determines the locale that should be used to affect the format
and contents of diagnostic messages written to stan‐
dard error.
Determines the locale category for numeric formatting.
Determines the location of message catalogues for the processing
of
If any internationalization variable contains an invalid setting,
behaves as if all internationalization variables are set to See envi‐
ron(5).
In addition, the following environment variable affects
Specifies a directory
for temporary files (see tmpnam(3S)).
EXAMPLES
Change to demand-loaded
Change binding mode of program file that uses shared libraries to imme‐
diate and nonfatal. Also enable usage of environment variable:
Disallow run-time path lookup for the shared library that the shared
library depends on:
Given segment index number 5 from a previous run of change the page
size to 4 kilobytes:
To set the modify bit of a specific segment, first find the index or
address number of the segment.
chatr a.out
a.out:
32-bit ELF executable
shared library dynamic path search:
LD_LIBRARY_PATH enabled first
SHLIB_PATH enabled second
embedded path enabled third /CLO/TAHOE_BE/usr/lib/hpux32
shared library list:
libsin.so
libc.so.1
shared library binding:
deferred
global hash table enabled
global hash table size 100
shared library mapped private disabled
shared vtable support disabled
segments:
index type address flags size
5 text 04000000 ----c D (default)
6 data 40000000 ---m- L (largest possible)
executable from stack: D (default)
kernel assisted branch prediction enabled
lazy swap allocation for dynamic segments disabled
For Format 2, for a text segment, use the following:
or
For Format 1, use the following:
WARNINGS
This release of the command no longer supports the following options:
·
·
·
·
·
·
·
·
AUTHOR
was developed by HP.
SEE ALSO
System Tools
ld(1) invoke the link editor
dld.so(5) dynamic loader
Miscellaneous
a.out(4) assembler, compiler, and linker output
magic(4) magic number for HP-UX implementations
sam(1M) system administration manager
executable_stack(5) controls whether program stacks are executable by
default
Texts and Tutorials
(See the option)
(See manuals(5) for ordering information)
Integrity Systems Onlychatr_ia(1)