Professional Web Applications Themes

Loading shared libraries from a setuid program - Sun Solaris

I've been working my way through the "Linker and Libraries Guide", but I'm not finding the answer I need. A pointer, slap upside the head, etc would be welcome. Is there some reason why a program running suid root would not use the LD_LIBRARY_PATH to find a library? In the continued...

  1. #1

    Default Loading shared libraries from a setuid program

    I've been working my way through the "Linker and Libraries Guide", but
    I'm not finding the answer I need. A pointer, slap upside the head,
    etc would be welcome.

    Is there some reason why a program running suid root would not use the
    LD_LIBRARY_PATH to find a library?

    In the specific case I'm working on, a suid root program runs a
    shell script (not owned by root), which runs a second program (also
    not owned by root).

    The shell script has some debug output in it that says the result of
    id is:

    uid=100(nortel) gid=100(nortel) euid=0(root)

    So, the shell script is running with an effective user id of root,
    which is what I would have expected. It then runs a binary (not suid)
    owned by nortel. This binary cannot find a shared library it depends
    on. Before running the binary, the shell script runs ldd on it, and
    produces the output

    ldd ../bin/commissioningCfg =
    librwtool.so.2 => (file not found)
    libsocket.so.1 => /usr/lib/libsocket.so.1
    libnsl.so.1 => /usr/lib/libnsl.so.1
    libC.so.5 => /usr/lib/libC.so.5
    libm.so.1 => /usr/lib/libm.so.1
    libw.so.1 => /usr/lib/libw.so.1
    libc.so.1 => /usr/lib/libc.so.1
    libdl.so.1 => /usr/lib/libdl.so.1
    libmp.so.2 => /usr/lib/libmp.so.2
    /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1

    However, librwtool.so.2 is, in fact, in a directory specified by the
    LD_LIBRARY_PATH.

    If the shell script is run from the command line as nortel, with
    LD_LIBRARY_PATH set appropriately, it works fine.

    All the above holds true if the -R linker option is used to specify a
    runpath when linking, rather than using LD_LIBRARY_PATH.

    I'd appreciate a pointer in the right direction.

    Thanks

    Joe
    Joe Halpin Guest

  2. #2

    Default Re: Loading shared libraries from a setuid program

    Joe Halpin wrote:
    > I've been working my way through the "Linker and Libraries Guide", but
    > I'm not finding the answer I need. A pointer, slap upside the head,
    > etc would be welcome.
    >
    > Is there some reason why a program running suid root would not use the
    > LD_LIBRARY_PATH to find a library?
    It's a security hole, since the user can redefine LD_LIBRARY_PATH to point
    to an evil version of the shared library. Thus LD_LIBRARY_PATH is not used
    for setuid programs.

    Isaac Lin Guest

  3. #3

    Default Re: Loading shared libraries from a setuid program

    As Isaac says, it is a security hole. If running Linux there is a
    work-around (man ldconfig); some versions of Solaris have a similar
    work-around too.

    Other work-arounds, not necessarily to your liking are:

    - remove the setuid bit from the program file
    - make the program file statically linked


    Regards, John.


    John Hickin Guest

  4. #4

    Default Re: Loading shared libraries from a setuid program

    Isaac Lin <isaacl@nortelnetworks.com> writes:
    > Joe Halpin wrote:
    > > I've been working my way through the "Linker and Libraries Guide",
    > > but I'm not finding the answer I need. A pointer, slap upside the
    > > head, etc would be welcome.
    > >
    > > Is there some reason why a program running suid root would not use
    > > the LD_LIBRARY_PATH to find a library?
    >
    > It's a security hole, since the user can redefine LD_LIBRARY_PATH to
    > point to an evil version of the shared library. Thus LD_LIBRARY_PATH
    > is not used for setuid programs.
    Does this hold true as well when the -R linker option is used to
    record the search path into the executable? It did the same thing
    either way.

    Joe
    Joe Halpin Guest

  5. #5

    Default Re: Loading shared libraries from a setuid program

    Joe Halpin wrote:
    > I've been working my way through the "Linker and Libraries Guide", but
    > I'm not finding the answer I need. A pointer, slap upside the head,
    > etc would be welcome.
    >
    > Is there some reason why a program running suid root would not use the
    > LD_LIBRARY_PATH to find a library?
    Yes. It would allow anybody with authority to run the program to use
    LD_LIBRARY_PATH to supply it subverted libraries and essentially
    do anything he felt like. LD_LIBRARY_PATH is ignored for all
    setuid programs in any modern flavor of UNIX.

    Chris Mattern

    Chris Mattern Guest

  6. #6

    Default Re: Loading shared libraries from a setuid program

    Joe Halpin <jhalpin@nortelnetworks.com_.nospam> wrote in message news:<yxs7n0fqlzzf.fsf@nortelnetworks.com_.nospam> ...

    man crle
    option -s may be help to you
    > I've been working my way through the "Linker and Libraries Guide", but
    > I'm not finding the answer I need. A pointer, slap upside the head,
    > etc would be welcome.
    >
    > Is there some reason why a program running suid root would not use the
    > LD_LIBRARY_PATH to find a library?
    >
    > In the specific case I'm working on, a suid root program runs a
    > shell script (not owned by root), which runs a second program (also
    > not owned by root).
    >
    > The shell script has some debug output in it that says the result of
    > id is:
    >
    > uid=100(nortel) gid=100(nortel) euid=0(root)
    >
    > So, the shell script is running with an effective user id of root,
    > which is what I would have expected. It then runs a binary (not suid)
    > owned by nortel. This binary cannot find a shared library it depends
    > on. Before running the binary, the shell script runs ldd on it, and
    > produces the output
    >
    > ldd ../bin/commissioningCfg =
    > librwtool.so.2 => (file not found)
    > libsocket.so.1 => /usr/lib/libsocket.so.1
    > libnsl.so.1 => /usr/lib/libnsl.so.1
    > libC.so.5 => /usr/lib/libC.so.5
    > libm.so.1 => /usr/lib/libm.so.1
    > libw.so.1 => /usr/lib/libw.so.1
    > libc.so.1 => /usr/lib/libc.so.1
    > libdl.so.1 => /usr/lib/libdl.so.1
    > libmp.so.2 => /usr/lib/libmp.so.2
    > /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1
    >
    > However, librwtool.so.2 is, in fact, in a directory specified by the
    > LD_LIBRARY_PATH.
    >
    > If the shell script is run from the command line as nortel, with
    > LD_LIBRARY_PATH set appropriately, it works fine.
    >
    > All the above holds true if the -R linker option is used to specify a
    > runpath when linking, rather than using LD_LIBRARY_PATH.
    >
    > I'd appreciate a pointer in the right direction.
    >
    > Thanks
    >
    > Joe
    Nial Guest

  7. #7

    Default Re: Loading shared libraries from a setuid program

    "John Hickin" <hickin@nortelnetworks.com> writes:
    >As Isaac says, it is a security hole. If running Linux there is a
    >work-around (man ldconfig); some versions of Solaris have a similar
    >work-around too.
    The "workaround" is crle.
    >Other work-arounds, not necessarily to your liking are:
    >- remove the setuid bit from the program file
    >- make the program file statically linked
    Neither might be options; the solution is to add the directory
    where the library is to be found to the compiled in runpath by
    specifying the -R flag when linking.

    Casper
    --
    Expressed in this posting are my opinions. They are in no way related
    to opinions held by my employer, Sun Microsystems.
    Statements on Sun products included here are not gospel and may
    be fiction rather than truth.
    Casper H.S. Dik Guest

Similar Threads

  1. #8963 [Opn->Bgs]: using shared PHP libraries in safe_mode
    By rasmus@php.net in forum PHP Bugs
    Replies: 0
    Last Post: October 27th, 12:49 AM
  2. Shared libraries and security/domains
    By panorezo in forum Macromedia Flash Data Integration
    Replies: 2
    Last Post: September 30th, 12:43 PM
  3. loading shared libraries
    By albert105 in forum Macromedia Flash Sitedesign
    Replies: 0
    Last Post: February 24th, 10:34 AM
  4. onSoundComplete for sounds from Shared Libraries
    By HumanJHawkins in forum Macromedia Flash
    Replies: 2
    Last Post: October 20th, 09:09 PM
  5. About shared libraries...
    By Kundan Nehete in forum Mac Programming
    Replies: 0
    Last Post: July 7th, 12:03 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139