General
cancel
Showing results for 
Search instead for 
Did you mean: 

PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Abdul Majeed Lardhi
Regular Advisor

PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I'm in the last step to finalize RBAC, I faced a problem in executing a application runtime program "rtsunx"

All PATHs are correct, libraries are exist !!



Is RBAC use different name of the Environment LIB parameters ?



(mo)hpus::/home/mo>privrun rtsunx

/usr/lib/hpux64/dld.so: Unable to find library 'libcobscreen64.so.2'.

Killed



(mo)hpus::/home/mo>env |grep LIB

SHLIB_PATH=/opt/microfocus/cobol/lib:/usr/lib/hpux64:/opt/cobol/cobdir/lib:/u01/app/oracle/product/client/lib

LIBPATH=/u01/lib:/opt/microfocus/cobol/lib:/fns/p/r/int:/fns/pd/r/int:/fns/p/r/dbora/int:/fns/pd/r/dbora/int

COBCPY=/fns/p/r/src/LIBRYUNX:/fns/pd/r/src/LIBRYUNX:/fns/p/r/src/LIBRYTRE:/fns/pd/r/src/LIBRYTRE:/fns/p/r/src/LIBRYSWI:/fns/pd/r/src/LIBRYSWI:/fns/p/r/src/LIBRYSPY:/fns/pd/r/src/LIBRYSPY:/fns/p/r/src/LIBRYMIS:/fns/pd/r/src/LIBRYMIS:/fns/p/r/src/LIBRYINV:/fns/pd/r/src/LIBRYINV:/fns/p/r/src/LIBRYGEN:/fns/pd/r/src/LIBRYGEN:/fns/p/r/src/LIBRYDCS:/fns/pd/r/src/LIBRYDCS:/fns/p/r/src/LIBRYCTA:/fns/pd/r/src/LIBRYCTA:/fns/p/r/src/LIBRYCHG:/fns/pd/r/src/LIBRYCHG:/fns/p/r/src/LIBRYBRO:/fns/pd/r/src/LIBRYBRO:/fns/p/r/src/LIBRYBOR:/fns/pd/r/src/LIBRYBOR:/fns/p/r/src/LIBRYATM:/fns/pd/r/src/LIBRYATM:

LD_LIBRARY_PATH=/opt/microfocus/cobol/lib:/fns/p/r/int:/fns/pd/r/int:/fns/p/r/dbora/int:/fns/pd/r/dbora/int



(mo)hpus::/home/mo>ll /opt/microfocus/cobol/lib|grep screen

-r-xr-xr-x 2 root root 187264 Apr 7 2004 libcobscreen.so

-r-xr-xr-x 2 root root 187264 Apr 7 2004 libcobscreen.so.2

-r-xr-xr-x 2 root root 198248 Apr 7 2004 libcobscreen64.so

-r-xr-xr-x 2 root root 198248 Apr 7 2004 libcobscreen64.so.2

-r-xr-xr-x 2 root root 186988 Apr 7 2004 libcobscreen_t.so

-r-xr-xr-x 2 root root 186988 Apr 7 2004 libcobscreen_t.so.2

-r-xr-xr-x 2 root root 198008 Apr 7 2004 libcobscreen_t64.so

-r-xr-xr-x 2 root root 198008 Apr 7 2004 libcobscreen_t64.so.2

(mo)hpus::/home/mo>

Please advise if possible

Regards
Abdul Majeed Lardhi
16 REPLIES
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

You may have to read the fine print on RBAC.
sudo can be configured to ignore certain environment variables, perhaps RBAC does too.
Also, dld.so ignores these variables for setuid programs so that may erase them before RBAC and they are gone before it gets to rtsunx.

So the simplest solution is to have privrun invoke a script that sets your environment variables then invokes rtsunx.
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>ME: may erase them before RBAC and they are gone before it gets to rtsunx.

I suppose you can test these theories by:
privrun env | grep LIB
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I forgot to mention that I set the flag to KEEPENV in cmdpriv RBAC database


/fnsd1/p/r/exe/rtsunx:dflt:(fns.p.rtsunx,*):110/110//:dflt:dflt:dflt:KEEPENV

Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>I set the flag to KEEPENV

Have you tried my env experiment and my workaround?
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Hi Dennis

First thanks for your reply

By defualt all user has the priviliage to execute "env"

Why I need to add "env" in RBAC ?

Abdul Majeed
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

More information of all libraries for that program :

(mo508119)hpus67::/fns/p/r/exe>chatr rtsunx
rtsunx:
64-bit ELF executable
shared library dynamic path search:
LD_LIBRARY_PATH enabled first
SHLIB_PATH enabled second
embedded path enabled third .:/opt/microfocus/cobol/lib:/usr/lib/hpux64
shared library list:
libxcurses.so.1
libm.so.1
libcobrts64.so.2
libcobcrtn64.so.2
libcobmisc64.so.2
libunwind.so.1
libsin.so.1
libc.so.1
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>Why I need to add "env" in RBAC?

So you can make sure the env vars tunnel through.

>More information of all libraries for that program:
libcobrts64.so.2
libcobcrtn64.so.2
libcobmisc64.so.2

This means you need to look at these to find the use of libcobscreen64.so.2.
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Dinnes ;

regarding the env, RBAC has feature called " KEEPENV"

this will make the enviroment paramenters ported to the privrun

Abdul Majeed
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>RBAC has feature called "KEEPENV"

You have heard of the saying "Trust but verify"?
Your application obviously isn't working, now you have to figure out why. env(1) is the first step.
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Dennis ;

I already tested "KEEPENV" possitive :)

It will keep all the environement variables to the end of the execution,

Regards
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I suppose I should ask, does it work without privrun? (By "work" I mean not get that dld error.)
Abdul Majeed Lardhi
Regular Advisor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Yes Dennis

the owner id is 110

it work without privrun, but the purpose of RBAC to run this application with deffernet users

Abdul Majeed
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>it work without privrun

Then is has to be the environment variables.
Did you try this exact command?
privrun env | grep LIB
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Ok, it still can be the dld issue:
dld.so ignores these variables for setuid programs so that may erase them before RBAC

Instead of "erase", it just ignores them.
You need to follow the directions in the dld patch:
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_37947
Or in HP-UX Linker and Libraries User's Guide, Running setuid Programs:
http://docs.hp.com/en/B2355-90968/creatingandusinglibraries.htm
Peter Humaj
Occasional Visitor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I observe the same problem in HPUX 11.31.

I added 2 lines to cmd_priv:
/usr/d2000/d2000.exe/bin/kernel:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV
/usr/bin/env:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV

But "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

My binary (kernel) fails
$ privrun kernel
/usr/lib/hpux64/dld.so: Unable to find library 'libclntsh.so.10.1'.
Killed

but if I do (as root)
chown root kernel
chmod 4755 kernel

then running kernel (directly, as a suid binary) works ok!

Besides having set environment

$ env | grep LIB
SHLIB_PATH=/opt/u1/oracle/lib
LD_LIBRARY_PATH=/opt/u1/oracle/lib

I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

The difference between
"privrun env" and "env" is that 3 variables are missing in the output of "privrun env" : HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env (see my cmd_priv).

Is it a bug or do I miss something?

Regards,
Peter Humaj
Dennis Handly
Acclaimed Contributor

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>Peter: "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

Then privrun is broken or KEEPENV isn't working.

>I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

Ok, I don't need to tell you about that.

>3 variables are missing: HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env
>Is it a bug or do I miss something?

It seems like a bug. There is no need to remove HOME except it may be confusing.