|
|
With no arguments, bock returns an exit status of 0 if buffer overflow attacks checks are not enabled, 1 if they are enabled, and 2 in case of an error.
When a command is passed to bock (along with any arguments the command requires), the kernel checks for buffer overflow attacks in the command's execution process and all of its child processes. Specifically, the kernel detects situations in which a system call is being issued from code running in a memory area that is also used as a stack.
If URETADDR_CHECK has a value of 1, a security message is logged to /var/adm/log/osmlog if a system call is issued from a memory area previously used as a stack by the calling process. Additionally, a value of 2 will cause the offending process to be terminated after having dumped core, whenever that is possible. Use idtune(1M) or the scoadmin system tuner to change the value of URETADDR_CHECK.
The inetd invocation mode differs from the interactive mode in that argv[0] (see exec(2)) must be specified in addition to the pathname of the executable file associated with command. For instance, the CDE graphical user interface calendar manager, has been the object of several CERT advisories. When CDE is installed on a system, the following two entries are added to inetd.conf(4tcp):
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd
By simply adding /bin/bock before the absolute pathname specification associated any inetd service, one gets the benefit of some degree of protection against buffer overflow attacks. Examples are listed below:
100068/2-5 dgram rpc/udp wait root /bin/bock /usr/dt/bin/rpc.cmsd rpc.cmsd dtspc stream tcp nowait root /bin/bock /usr/dt/bin/dtspcd dtspcdtelnet stream tcp nowait root /bin/bock /usr/sbin/in.tcpd in.telnetd ftp stream tcp nowait root /bin/bock /usr/sbin/in.tcpd in.ftpd -a
The performance impact will be minimal for single-threaded processes that use only the stack defined at compilation time. However, because the kernel will maintain a per-process linked list of VM segments used as stacks by all LWPs executing inside a process, heavily multithreaded applications are likely to be negatively impacted from a performance standpoint.
When used with a command argument, the exit status will be that of the specified command, or 2 in case of error during a system call.