[sudo-workers] NOEXEC working on AIX 5.3 ML5

Mele Giovanni giovanni.mele at nagra.com
Wed Jan 31 02:44:14 EST 2007


Good news for AIX users : AIX 5.3 ML5 now works with NOEXEC.
Unfortunately, IBM didn't use the LD_PRELOAD environment variable but
LDR_PRELOAD (for 32 bits apps). So, to make NOEXEC work, you have to
modify the env.c file and replace LD_PRELOAD by the appropriate value :


static const char *initial_badenv_table[] = {
#ifdef _AIX
#ifdef __hpux


     * Preload a noexec file?  For a list of LD_PRELOAD-alikes, see
     * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
     * XXX - should prepend to original value, if any
    if (noexec && def_noexec_file != NULL) {
#if defined(__darwin__) || defined(__APPLE__)
        insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file,
VNULL), 1);
        insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1);
# if defined(__osf__) || defined(__sgi)
        insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT",
VNULL), 1);
# else
#  ifdef _AIX
        insert_env(format_env("LDR_PRELOAD", def_noexec_file, VNULL),
#  else
        insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1);
#  endif
# endif

Another manual change to do is copy the .libs/sudo_noexec.so in the
libexec installation directory. The library that is copied in there is
the static one and applications won't work with it : you need the shared



More information about the sudo-workers mailing list