sysctl -w kernel.exec-shield=1 error: “kernel.exec-shield” is an unknown key
How do I fix this problem and make sure exec-shield buffer overflow protection security feature turned on Ubuntu Linux?
Linux kernel (or patch to kernel) provides ExecShield feature to protect against buffer overflows such as:
Random placement of the stack
Random placement of memory regions
Prevention of execution in memory that should only hold data
Handling of text buffers with care and more.
Ubuntu kernel has No Execute (NX) or Execute Disable (XD) support. This does exactly the same thing to prevent code execution on a per memory page basis. If you are using Intel processors you should see the following message when system boots:
dmesg | grep –color ‘[NX|DX]*protection’
This is the equivalent of the CentOS or SL or RHEL (Red Hat) Exec Shield kernel security feature. If you do not see the message, reboot the server and set XD/NX protection using BIOS setup.
Make sure kernel.randomize_va_space enabled
Type the following command: sysctl -w kernel.randomize_va_space=1 OR, edit the file /etc/sysctl.conf and append/modify as follows:
kernel.randomize_va_space = 1
The randomize_va_space can have any one of the following values:
0 – Do not randomize stack and vdso page.
1 – Turn on protection and randomize stack, vdso page and mmap.
2 – Turn on protection and randomize stack, vdso page and mmap + randomize brk base address.
The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.