setuid executables linking dynamic libraries

Hugo Martins · ‎01-12-2005

I’m having problems running setuid executables that link with dynamic libraries (of my own).
In my application I have a directory for the executables and dynamic libraries. When I try to run a setuid executable (that links with a dynamic library libxpto.so), I get the error message: Cannot load libxpto.so.
I put this directory in the LD_LIBRARY_PATH and in PATH environment variables, but I keep getting the same problem.
To workaround this, I have created links for the dynamic libraries in /usr/local/lib. But this temporary solution is not desirable.
So, I would like to know what is the good solution to solve this problem, without creating links to the dynamic libraries in /usr/local/lib.

Example:
I have two users (scatex and ingres) belonging to group "users";
I have one binary (alarms) that links a dynamic lib (libsx.so);
[GANDALF]/scatex/MAN/sxbin> ll alarms libsx.so
-rwsr-xr-x 1 ingres users 793216 Jan 11 10:23 alarms
-rwxr-xr-x 1 scatex users 25466080 Jan 12 15:45 libsx.so
The “alarms” binary” is setuid;
When I run “alarms” as user “scatex”, it can’t load dynamic library “libsx.so”, unless I create a link for

Hein van den Heuvel · ‎01-12-2005

Best I know this is a deliberate restriction to enforce security. If you allow a privved image (setuid) to be activated with a context that the end user can influence, then you may end up executing code that you do not control with that privilige.
By insisting on /usr/local/lib the system garantuees that only images (or links) put there by already privved users will be activated,, putted the responsibility on that person, not trusting the end user.

Hein.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

setuid executables linking dynamic libraries

setuid executables linking dynamic libraries

Re: setuid executables linking dynamic libraries