Operating System - HP-UX
1748218 Members
4566 Online
108759 Solutions
New Discussion юеВ

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

 
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Dennis ;

I already tested "KEEPENV" possitive :)

It will keep all the environement variables to the end of the execution,

Regards
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I suppose I should ask, does it work without privrun? (By "work" I mean not get that dld error.)
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Yes Dennis

the owner id is 110

it work without privrun, but the purpose of RBAC to run this application with deffernet users

Abdul Majeed
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>it work without privrun

Then is has to be the environment variables.
Did you try this exact command?
privrun env | grep LIB
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Ok, it still can be the dld issue:
dld.so ignores these variables for setuid programs so that may erase them before RBAC

Instead of "erase", it just ignores them.
You need to follow the directions in the dld patch:
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_37947
Or in HP-UX Linker and Libraries User's Guide, Running setuid Programs:
http://docs.hp.com/en/B2355-90968/creatingandusinglibraries.htm
Peter Humaj
New Member

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I observe the same problem in HPUX 11.31.

I added 2 lines to cmd_priv:
/usr/d2000/d2000.exe/bin/kernel:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV
/usr/bin/env:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV

But "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

My binary (kernel) fails
$ privrun kernel
/usr/lib/hpux64/dld.so: Unable to find library 'libclntsh.so.10.1'.
Killed

but if I do (as root)
chown root kernel
chmod 4755 kernel

then running kernel (directly, as a suid binary) works ok!

Besides having set environment

$ env | grep LIB
SHLIB_PATH=/opt/u1/oracle/lib
LD_LIBRARY_PATH=/opt/u1/oracle/lib

I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

The difference between
"privrun env" and "env" is that 3 variables are missing in the output of "privrun env" : HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env (see my cmd_priv).

Is it a bug or do I miss something?

Regards,
Peter Humaj
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>Peter: "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

Then privrun is broken or KEEPENV isn't working.

>I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

Ok, I don't need to tell you about that.

>3 variables are missing: HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env
>Is it a bug or do I miss something?

It seems like a bug. There is no need to remove HOME except it may be confusing.