Ask a Question related to Sun Solaris, Design and Development.
-
Joe Halpin #1
Loading shared libraries from a setuid program
I've been working my way through the "Linker and Libraries Guide", but
I'm not finding the answer I need. A pointer, slap upside the head,
etc would be welcome.
Is there some reason why a program running suid root would not use the
LD_LIBRARY_PATH to find a library?
In the specific case I'm working on, a suid root program runs a
shell script (not owned by root), which runs a second program (also
not owned by root).
The shell script has some debug output in it that says the result of
id is:
uid=100(nortel) gid=100(nortel) euid=0(root)
So, the shell script is running with an effective user id of root,
which is what I would have expected. It then runs a binary (not suid)
owned by nortel. This binary cannot find a shared library it depends
on. Before running the binary, the shell script runs ldd on it, and
produces the output
ldd ../bin/commissioningCfg =
librwtool.so.2 => (file not found)
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libC.so.5 => /usr/lib/libC.so.5
libm.so.1 => /usr/lib/libm.so.1
libw.so.1 => /usr/lib/libw.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
/usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1
However, librwtool.so.2 is, in fact, in a directory specified by the
LD_LIBRARY_PATH.
If the shell script is run from the command line as nortel, with
LD_LIBRARY_PATH set appropriately, it works fine.
All the above holds true if the -R linker option is used to specify a
runpath when linking, rather than using LD_LIBRARY_PATH.
I'd appreciate a pointer in the right direction.
Thanks
Joe
Joe Halpin Guest
-
#8963 [Opn->Bgs]: using shared PHP libraries in safe_mode
ID: 8963 Updated by: rasmus@php.net Reported By: js at lsc dot hu -Status: Open +Status: Bogus Bug... -
Shared libraries and security/domains
Hello !! My problem is the following : A.swf is on client side. It use ./content/__library.swf as shared library. B.swf is on server side.... -
loading shared libraries
I have got a question about loading shared libraries. In a main page I load several external swfs with loadMovie. These external swfs all have... -
onSoundComplete for sounds from Shared Libraries
Hi, Does anyone know how to get "onSoundComplete" to work for sounds brought in via shared library? Here is what we have tried so far: 1.... -
About shared libraries...
Hi, Can I use 'shlb' type of shared library in Mach O application?? I have created one Carbon Shared library.I want to use this in a application... -
Isaac Lin #2 Re: Loading shared libraries from a setuid program
Joe Halpin wrote:
It's a security hole, since the user can redefine LD_LIBRARY_PATH to point> I've been working my way through the "Linker and Libraries Guide", but
> I'm not finding the answer I need. A pointer, slap upside the head,
> etc would be welcome.
>
> Is there some reason why a program running suid root would not use the
> LD_LIBRARY_PATH to find a library?
to an evil version of the shared library. Thus LD_LIBRARY_PATH is not used
for setuid programs.
Isaac Lin Guest
-
John Hickin #3 Re: Loading shared libraries from a setuid program
As Isaac says, it is a security hole. If running Linux there is a
work-around (man ldconfig); some versions of Solaris have a similar
work-around too.
Other work-arounds, not necessarily to your liking are:
- remove the setuid bit from the program file
- make the program file statically linked
Regards, John.
John Hickin Guest
-
Joe Halpin #4 Re: Loading shared libraries from a setuid program
Isaac Lin <isaacl@nortelnetworks.com> writes:
Does this hold true as well when the -R linker option is used to> Joe Halpin wrote:>> > I've been working my way through the "Linker and Libraries Guide",
> > but I'm not finding the answer I need. A pointer, slap upside the
> > head, etc would be welcome.
> >
> > Is there some reason why a program running suid root would not use
> > the LD_LIBRARY_PATH to find a library?
> It's a security hole, since the user can redefine LD_LIBRARY_PATH to
> point to an evil version of the shared library. Thus LD_LIBRARY_PATH
> is not used for setuid programs.
record the search path into the executable? It did the same thing
either way.
Joe
Joe Halpin Guest
-
Chris Mattern #5 Re: Loading shared libraries from a setuid program
Joe Halpin wrote:
Yes. It would allow anybody with authority to run the program to use> I've been working my way through the "Linker and Libraries Guide", but
> I'm not finding the answer I need. A pointer, slap upside the head,
> etc would be welcome.
>
> Is there some reason why a program running suid root would not use the
> LD_LIBRARY_PATH to find a library?
LD_LIBRARY_PATH to supply it subverted libraries and essentially
do anything he felt like. LD_LIBRARY_PATH is ignored for all
setuid programs in any modern flavor of UNIX.
Chris Mattern
Chris Mattern Guest
-
Nial #6 Re: Loading shared libraries from a setuid program
Joe Halpin <jhalpin@nortelnetworks.com_.nospam> wrote in message news:<yxs7n0fqlzzf.fsf@nortelnetworks.com_.nospam> ...
man crle
option -s may be help to you
> I've been working my way through the "Linker and Libraries Guide", but
> I'm not finding the answer I need. A pointer, slap upside the head,
> etc would be welcome.
>
> Is there some reason why a program running suid root would not use the
> LD_LIBRARY_PATH to find a library?
>
> In the specific case I'm working on, a suid root program runs a
> shell script (not owned by root), which runs a second program (also
> not owned by root).
>
> The shell script has some debug output in it that says the result of
> id is:
>
> uid=100(nortel) gid=100(nortel) euid=0(root)
>
> So, the shell script is running with an effective user id of root,
> which is what I would have expected. It then runs a binary (not suid)
> owned by nortel. This binary cannot find a shared library it depends
> on. Before running the binary, the shell script runs ldd on it, and
> produces the output
>
> ldd ../bin/commissioningCfg =
> librwtool.so.2 => (file not found)
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libC.so.5 => /usr/lib/libC.so.5
> libm.so.1 => /usr/lib/libm.so.1
> libw.so.1 => /usr/lib/libw.so.1
> libc.so.1 => /usr/lib/libc.so.1
> libdl.so.1 => /usr/lib/libdl.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> /usr/platform/SUNW,Ultra-250/lib/libc_psr.so.1
>
> However, librwtool.so.2 is, in fact, in a directory specified by the
> LD_LIBRARY_PATH.
>
> If the shell script is run from the command line as nortel, with
> LD_LIBRARY_PATH set appropriately, it works fine.
>
> All the above holds true if the -R linker option is used to specify a
> runpath when linking, rather than using LD_LIBRARY_PATH.
>
> I'd appreciate a pointer in the right direction.
>
> Thanks
>
> JoeNial Guest
-
Casper H.S. Dik #7 Re: Loading shared libraries from a setuid program
"John Hickin" <hickin@nortelnetworks.com> writes:
The "workaround" is crle.>As Isaac says, it is a security hole. If running Linux there is a
>work-around (man ldconfig); some versions of Solaris have a similar
>work-around too.
>Other work-arounds, not necessarily to your liking are:Neither might be options; the solution is to add the directory>- remove the setuid bit from the program file
>- make the program file statically linked
where the library is to be found to the compiled in runpath by
specifying the -R flag when linking.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
Casper H.S. Dik Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
