Displays and sets Stack Execution Disable flag of the system or executable files.
sedmgr [-m {off | all | select | setidfiles}] [-o {on | off}] [-c {system | request | exempt} {file_name | file_group}] [-d {file_name | directory_name}] [-h]
The sedmgr command is the manager of the Stack Execution Disable (SED) facility. You can use the command to enable and control the level of stack execution done in the system. This command can also be used to set the various flags in an executable file, controlling the stack execution disable. Any changes to the system wide mode setting will take effect only after a system reboot.
The system wide setting can only be modified by the root user. Other set and reset options on individual executable files will be successful only if the user has write permissions to the file. The SED facility is available only in the AIX® 64 bit kernel operating systems.
If invoked without any parameter, the sedmgr command will display the current setting in regards to the stack execution disable environment.
For more information, refer to the Stack Execution Disable Protection section in Login control in the AIX Version 7.1 Security.
Item | Description |
---|---|
-c | Sets or resets the "request" and "exempt" SED
flags in the header of an executable file. Also, sets or resets the
SED request and exempt checking flag in the headers of all the executable
files in a file_group. This option requires
write privilege to the file, or root privilege if file_group is
specified.The possible values are as follows:
|
-d | Displays the SED request and exempt checking flag for executable files. The SED request and exempt flags are in the file header of an executable. If a directory is specified, then all executables under that directory and its subdirectories are displayed with their SED related flags. This flag requires read privilege to the file_name or directory_name. The -d flag cannot be used with the -m, -o and -c flags. |
-h | Displays the syntax of the sedmgr command. |
-m | Sets the system-wide stack execution disable
mode if the processor supports SED. Any changes to the system-wide
setting require a system reboot to take effect. This option will accept
one of the following values:
|
-o | This option enables SED to monitor instead of
terminating the processes when exceptions occur. This option allows
you to evaluate if an executable is doing any legitimate stack execution.
This setting works with the system-wide mode set using the -c option.
The SED Monitoring Control flag is part of the system-wide SED settings
stored in ODM. Changing this setting requires root privilege. The
possible values for this flag are as follows:
|
None | If no flag is specified, the sedmgr command displays the current setting in regards to the stack execution disable environment. It displays the current SED setting in the kernel var structure and the system-wide SED settings in ODM. |
Item | Description |
---|---|
file_name | Name of the executable file whose SED settings are changed. Requires write privilege. |
file_group | Group of executable files whose SED settings are changed when a file name is not specified. Requires root privilege. |
directory_name | Directory of executable files and any subdirectories of executable files whose SED checking flags are displayed with the -d flag. |
Item | Description |
---|---|
0 | The command completed successfully. |
255 | An error occurred. |
Access Control: This command should be a standard user command and have the trusted computing base attribute.
sedmgr -m setidfiles -o on
sedmgr -c exempt plans
sedmgr -c request TCB_files
sedmgr -d plans
Event | Information |
---|---|
SEDMGR_Odm | System wide SED setting. |
SEDMGR_File | SED setting in an executable file header. |
See Setting up auditing in the Auditing overview section of AIX Version 7.1 Security for more details about how to properly select and group audit events, and how to configure audit event data collection.
/usr/sbin/sedmgr
Item | Description |
---|---|
/usr/bin/tcbck | Accessed in executable mode. |
/usr/bin/ldedit | Accessed in executable mode. |