[sudo-workers] NOEXEC working on AIX 5.3 ML5
Mele Giovanni
giovanni.mele at nagra.com
Wed Jan 31 02:44:14 EST 2007
Hi,
Good news for AIX users : AIX 5.3 ML5 now works with NOEXEC.
Unfortunately, IBM didn't use the LD_PRELOAD environment variable but
LDR_PRELOAD (for 32 bits apps). So, to make NOEXEC work, you have to
modify the env.c file and replace LD_PRELOAD by the appropriate value :
....
static const char *initial_badenv_table[] = {
"IFS",
"CDPATH",
"LOCALDOMAIN",
"RES_OPTIONS",
"HOSTALIASES",
"NLSPATH",
"PATH_LOCALE",
#ifdef _AIX
"LDR_*",
#else
"LD_*",
#endif
"_RLD*",
#ifdef __hpux
....
/*
* Preload a noexec file? For a list of LD_PRELOAD-alikes, see
* http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
* XXX - should prepend to original value, if any
*/
if (noexec && def_noexec_file != NULL) {
#if defined(__darwin__) || defined(__APPLE__)
insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file,
VNULL), 1);
insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1);
#else
# if defined(__osf__) || defined(__sgi)
insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT",
VNULL), 1);
# else
# ifdef _AIX
insert_env(format_env("LDR_PRELOAD", def_noexec_file, VNULL),
1);
# else
insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1);
# endif
# endif
#endif
}
Another manual change to do is copy the .libs/sudo_noexec.so in the
libexec installation directory. The library that is copied in there is
the static one and applications won't work with it : you need the shared
version.
Regards
Giovanni
More information about the sudo-workers
mailing list