Controlling stack execution protection

SUSE Linux Enterprise Server 15 SP5 LPAR mode z/VM guest KVM guest

To prevent stack-overflow exploits, the stack of a binary or shared library must be marked as not executable.

About this task

Use the execstack command to set, clear, or query the executable stack flag of ELF binaries and shared libraries (GNU_STACK). For details about execstack, see the man page.

Example

Set and query the executable stack flag.
```
# execstack -s /usr/bin/find
# execstack -q /usr/bin/find
X /usr/bin/find
```
The leading X at the beginning of the query output line indicates that the stack is executable.
Hint: You can also use the readelf command to confirm that the stack can be executed.
```
# readelf -a /usr/bin/find | grep GNU_STACK -A 1
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 8
```
The RWE towards the end of the output line means read/write/execute. You can obtain the readelf command as part of the binutils package. For command details, see the man page.
Clear and query the executable stack flag.
```
# execstack -c /usr/bin/find
# execstack -q /usr/bin/find
- /usr/bin/find
```
The leading - at the beginning of the query output line indicates that the stack is not executable.
Hint: You can also use the readelf command to confirm that the stack cannot be executed.
```
# readelf -a /usr/bin/find | grep GNU_STACK -A 1
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW  8
```
The RW towards the end of the output line means read/write, but not execute.