sedmgr Command

Purpose

Displays and sets Stack Execution Disable flag of the system or executable files.

Syntax

sedmgr [-m {off | all | select | setidfiles}] [-o {on | off}] [-c {system | request | exempt} {file_name | file_group}] [-d {file_name | directory_name}] [-h]

Description

The sedmgr command is the manager of the Stack Execution Disable (SED) facility. You can use the command to enable and control the level of stack execution done in the system. This command can also be used to set the various flags in an executable file, controlling the stack execution disable. Any changes to the system wide mode setting will take effect only after a system reboot.

The system wide setting can only be modified by the root user. Other set and reset options on individual executable files will be successful only if the user has write permissions to the file. The SED facility is available only in the AIX® 64 bit kernel operating systems.

If invoked without any parameter, the sedmgr command will display the current setting in regards to the stack execution disable environment.

For more information, refer to the Stack Execution Disable Protection section in Login control in the AIX Version 7.1 Security.

Flags

Item Description
-c Sets or resets the "request" and "exempt" SED flags in the header of an executable file. Also, sets or resets the SED request and exempt checking flag in the headers of all the executable files in a file_group. This option requires write privilege to the file, or root privilege if file_group is specified.The possible values are as follows:
system
If the file has the system flag in the executable's header, the operating system decides the operation for the process based on the system-wide SED flags. When the file does not specify any flags, the operating system also decides the operation for the process based on the system wide SED flags.
exempt
Sets a flag in the executable's header that indicates that this file does stack/head based execution and as a result needs exemption from the SED mechanism. The SED request checking bit is turned off.
request
Sets a flag in the executable's header that indicates that this file does not do any stack/data area based execution and as a result is SED capable. The SED exempt checking bit is turned off.
You can specify a file group that represents a group of files, such as TCB files. If the specified file name string does not identify a file, then the string is assumed to identify a file_group. Currently only the TCB_files file group is defined. You can set or reset the SED request and exempt flags for both 32-bit and 64-bit executables. The -c flag cannot be used with the -m, -o, and -d flags.
-d Displays the SED request and exempt checking flag for executable files. The SED request and exempt flags are in the file header of an executable. If a directory is specified, then all executables under that directory and its subdirectories are displayed with their SED related flags. This flag requires read privilege to the file_name or directory_name. The -d flag cannot be used with the -m, -o and -c flags.
-h Displays the syntax of the sedmgr command.
-m Sets the system-wide stack execution disable mode if the processor supports SED. Any changes to the system-wide setting require a system reboot to take effect. This option will accept one of the following values:
all
Enforces stack execution disable for all files except the ones requesting (marked for) exemption.
off
Turns off the stack execution disable functionality on the system.
select
Sets the mode of operation to select the set of processes that will be enabled and monitored for stack execution disable. Only processes from files with the "request" SED flag set in their headers will be selected.
setidfiles
Sets the mode of operation so that the operating system performs SED for the files with the "request" SED flag set and enables SED for the executable files with the following characteristics:
  • setuid files owned by root.
  • setid files with primary group as "system" or "security".
The configured SED attribute is effective at the next 64-bit kernel boot time. Because the SED attribute in ODM does not affect 32-bit kernels, the SED monitoring flag is turned off in that case. If a processor does not support SED, the sedmgr command returns an error with the -m flag. The -m flag cannot be used with the -c and -d flags.
-o This option enables SED to monitor instead of terminating the processes when exceptions occur. This option allows you to evaluate if an executable is doing any legitimate stack execution. This setting works with the system-wide mode set using the -c option. The SED Monitoring Control flag is part of the system-wide SED settings stored in ODM. Changing this setting requires root privilege. The possible values for this flag are as follows:
on
Turns on the monitoring for SED facility. When operating in this mode, the system will allow the process to continue operating even if an SED related exception occurs. Instead of terminating the process, the operating system logs the exception in the AIX error log subsystem.
off
Turns off the monitoring mode for SED facility. In this mode, the operating system terminates any process that violates and raises an exception per SED facility.
The configured SED attribute is effective at the next 64-bit kernel boot time. Because the SED attribute in ODM does not affect 32-bit kernels, the SED monitoring flag is turned off in that case. If a processor does not support SED, the sedmgr command returns an error with the -m flag. The -o flag cannot be used with the -c and -d flags.
None If no flag is specified, the sedmgr command displays the current setting in regards to the stack execution disable environment. It displays the current SED setting in the kernel var structure and the system-wide SED settings in ODM.

Parameters

Item Description
file_name Name of the executable file whose SED settings are changed. Requires write privilege.
file_group Group of executable files whose SED settings are changed when a file name is not specified. Requires root privilege.
directory_name Directory of executable files and any subdirectories of executable files whose SED checking flags are displayed with the -d flag.

Exit Status

Item Description
0 The command completed successfully.
255 An error occurred.

Security

Access Control: This command should be a standard user command and have the trusted computing base attribute.

Examples

  1. To change the system-wide SED Mode flag to setidfiles and the SED Control flag to on, type:
    sedmgr -m setidfiles -o on
  2. To change the SED checking flag to exempt for the plans file, type:
    sedmgr -c exempt plans
  3. To change the SED checking flag to select for all the executable files marked as a TCB file, type:
    sedmgr -c request TCB_files
  4. To display the SED checking flag of the plans file, type:
    sedmgr -d plans

Restrictions

Auditing Events: If the auditing subsystem has been properly configured and is enabled, the sedmgr command generates the following audit record (event):
Event Information
SEDMGR_Odm System wide SED setting.
SEDMGR_File SED setting in an executable file header.

See Setting up auditing in the Auditing overview section of AIX Version 7.1 Security for more details about how to properly select and group audit events, and how to configure audit event data collection.

Location

/usr/sbin/sedmgr

Files

Item Description
/usr/bin/tcbck Accessed in executable mode.
/usr/bin/ldedit Accessed in executable mode.