HPE Community
Operating System - HP-UX
1838671 Members
5914 Online
110128 Solutions
New Discussion

PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

 
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 01:42 AM

‎07-02-2008 01:42 AM

PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I'm in the last step to finalize RBAC, I faced a problem in executing a application runtime program "rtsunx"

All PATHs are correct, libraries are exist !!



Is RBAC use different name of the Environment LIB parameters ?



(mo)hpus::/home/mo>privrun rtsunx

/usr/lib/hpux64/dld.so: Unable to find library 'libcobscreen64.so.2'.

Killed



(mo)hpus::/home/mo>env |grep LIB

SHLIB_PATH=/opt/microfocus/cobol/lib:/usr/lib/hpux64:/opt/cobol/cobdir/lib:/u01/app/oracle/product/client/lib

LIBPATH=/u01/lib:/opt/microfocus/cobol/lib:/fns/p/r/int:/fns/pd/r/int:/fns/p/r/dbora/int:/fns/pd/r/dbora/int

COBCPY=/fns/p/r/src/LIBRYUNX:/fns/pd/r/src/LIBRYUNX:/fns/p/r/src/LIBRYTRE:/fns/pd/r/src/LIBRYTRE:/fns/p/r/src/LIBRYSWI:/fns/pd/r/src/LIBRYSWI:/fns/p/r/src/LIBRYSPY:/fns/pd/r/src/LIBRYSPY:/fns/p/r/src/LIBRYMIS:/fns/pd/r/src/LIBRYMIS:/fns/p/r/src/LIBRYINV:/fns/pd/r/src/LIBRYINV:/fns/p/r/src/LIBRYGEN:/fns/pd/r/src/LIBRYGEN:/fns/p/r/src/LIBRYDCS:/fns/pd/r/src/LIBRYDCS:/fns/p/r/src/LIBRYCTA:/fns/pd/r/src/LIBRYCTA:/fns/p/r/src/LIBRYCHG:/fns/pd/r/src/LIBRYCHG:/fns/p/r/src/LIBRYBRO:/fns/pd/r/src/LIBRYBRO:/fns/p/r/src/LIBRYBOR:/fns/pd/r/src/LIBRYBOR:/fns/p/r/src/LIBRYATM:/fns/pd/r/src/LIBRYATM:

LD_LIBRARY_PATH=/opt/microfocus/cobol/lib:/fns/p/r/int:/fns/pd/r/int:/fns/p/r/dbora/int:/fns/pd/r/dbora/int



(mo)hpus::/home/mo>ll /opt/microfocus/cobol/lib|grep screen

-r-xr-xr-x 2 root root 187264 Apr 7 2004 libcobscreen.so

-r-xr-xr-x 2 root root 187264 Apr 7 2004 libcobscreen.so.2

-r-xr-xr-x 2 root root 198248 Apr 7 2004 libcobscreen64.so

-r-xr-xr-x 2 root root 198248 Apr 7 2004 libcobscreen64.so.2

-r-xr-xr-x 2 root root 186988 Apr 7 2004 libcobscreen_t.so

-r-xr-xr-x 2 root root 186988 Apr 7 2004 libcobscreen_t.so.2

-r-xr-xr-x 2 root root 198008 Apr 7 2004 libcobscreen_t64.so

-r-xr-xr-x 2 root root 198008 Apr 7 2004 libcobscreen_t64.so.2

(mo)hpus::/home/mo>

Please advise if possible

Regards
Abdul Majeed Lardhi
0 Kudos
Reply
16 REPLIES 16
Dennis Handly
Acclaimed Contributor

‎07-02-2008 01:53 AM

‎07-02-2008 01:53 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

You may have to read the fine print on RBAC.
sudo can be configured to ignore certain environment variables, perhaps RBAC does too.
Also, dld.so ignores these variables for setuid programs so that may erase them before RBAC and they are gone before it gets to rtsunx.

So the simplest solution is to have privrun invoke a script that sets your environment variables then invokes rtsunx.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 01:57 AM

‎07-02-2008 01:57 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>ME: may erase them before RBAC and they are gone before it gets to rtsunx.

I suppose you can test these theories by:
privrun env | grep LIB
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 02:19 AM

‎07-02-2008 02:19 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I forgot to mention that I set the flag to KEEPENV in cmdpriv RBAC database


/fnsd1/p/r/exe/rtsunx:dflt:(fns.p.rtsunx,*):110/110//:dflt:dflt:dflt:KEEPENV

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 02:45 AM

‎07-02-2008 02:45 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>I set the flag to KEEPENV

Have you tried my env experiment and my workaround?
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 02:48 AM

‎07-02-2008 02:48 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Hi Dennis

First thanks for your reply

By defualt all user has the priviliage to execute "env"

Why I need to add "env" in RBAC ?

Abdul Majeed
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 02:57 AM

‎07-02-2008 02:57 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

More information of all libraries for that program :

(mo508119)hpus67::/fns/p/r/exe>chatr rtsunx
rtsunx:
64-bit ELF executable
shared library dynamic path search:
LD_LIBRARY_PATH enabled first
SHLIB_PATH enabled second
embedded path enabled third .:/opt/microfocus/cobol/lib:/usr/lib/hpux64
shared library list:
libxcurses.so.1
libm.so.1
libcobrts64.so.2
libcobcrtn64.so.2
libcobmisc64.so.2
libunwind.so.1
libsin.so.1
libc.so.1
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 03:33 AM

‎07-02-2008 03:33 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>Why I need to add "env" in RBAC?

So you can make sure the env vars tunnel through.

>More information of all libraries for that program:
libcobrts64.so.2
libcobcrtn64.so.2
libcobmisc64.so.2

This means you need to look at these to find the use of libcobscreen64.so.2.
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 03:51 AM

‎07-02-2008 03:51 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Dinnes ;

regarding the env, RBAC has feature called " KEEPENV"

this will make the enviroment paramenters ported to the privrun

Abdul Majeed
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 04:10 AM

‎07-02-2008 04:10 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>RBAC has feature called "KEEPENV"

You have heard of the saying "Trust but verify"?
Your application obviously isn't working, now you have to figure out why. env(1) is the first step.
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 04:26 AM

‎07-02-2008 04:26 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Dennis ;

I already tested "KEEPENV" possitive :)

It will keep all the environement variables to the end of the execution,

Regards
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 05:17 AM

‎07-02-2008 05:17 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I suppose I should ask, does it work without privrun? (By "work" I mean not get that dld error.)
0 Kudos
Reply
Abdul Majeed Lardhi
Regular Advisor

‎07-02-2008 05:24 AM

‎07-02-2008 05:24 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Yes Dennis

the owner id is 110

it work without privrun, but the purpose of RBAC to run this application with deffernet users

Abdul Majeed
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 05:42 AM

‎07-02-2008 05:42 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>it work without privrun

Then is has to be the environment variables.
Did you try this exact command?
privrun env | grep LIB
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎07-02-2008 06:25 AM

‎07-02-2008 06:25 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

Ok, it still can be the dld issue:
dld.so ignores these variables for setuid programs so that may erase them before RBAC

Instead of "erase", it just ignores them.
You need to follow the directions in the dld patch:
http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_37947
Or in HP-UX Linker and Libraries User's Guide, Running setuid Programs:
http://docs.hp.com/en/B2355-90968/creatingandusinglibraries.htm
0 Kudos
Reply
Peter Humaj
New Member

‎10-28-2008 08:22 AM

‎10-28-2008 08:22 AM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

I observe the same problem in HPUX 11.31.

I added 2 lines to cmd_priv:
/usr/d2000/d2000.exe/bin/kernel:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV
/usr/bin/env:dflt:(d2000.start,*):0/0//:dflt:dflt:dflt:KEEPENV

But "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

My binary (kernel) fails
$ privrun kernel
/usr/lib/hpux64/dld.so: Unable to find library 'libclntsh.so.10.1'.
Killed

but if I do (as root)
chown root kernel
chmod 4755 kernel

then running kernel (directly, as a suid binary) works ok!

Besides having set environment

$ env | grep LIB
SHLIB_PATH=/opt/u1/oracle/lib
LD_LIBRARY_PATH=/opt/u1/oracle/lib

I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

The difference between
"privrun env" and "env" is that 3 variables are missing in the output of "privrun env" : HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env (see my cmd_priv).

Is it a bug or do I miss something?

Regards,
Peter Humaj
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎10-28-2008 02:22 PM

‎10-28-2008 02:22 PM

Re: PROBLEM: RBAC privrun when execute an runtime program used Oracle/Cobol libraries

>Peter: "privrun env | grep LIB" does not show any output, although both SHLIB_PATH and LD_LIBRARY_PATH are set!

Then privrun is broken or KEEPENV isn't working.

>I have library path also in /etc/dld.sl.conf (without it setuid binary didn't work).

Ok, I don't need to tell you about that.

>3 variables are missing: HOME, SHLIB_PATH and LD_LIBRARY_PATH - in spite of the fact that KEEPENV flag was set for env
>Is it a bug or do I miss something?

It seems like a bug. There is no need to remove HOME except it may be confusing.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.