Paul M . Lambert
plambert at plambert.net
Mon Feb 26 15:55:31 EST 2001
To even begin on this, you'll have to have an understanding of what
shared libraries are, so you can stop putting them in quotation marks. ;-)
An application consists of a collection of computer instructions. Many
times, more than one program has to do the same thing. (For example,
putting a character on the display, etc.) There are many ways to share
code between programs. One of them is by using a dynamic linker.
When a program runs, it starts the dynamic linker, which looks for various
libraries of code that the program needs to run. This way, the 17,000
programs that need to call the "putch" routine don't all have to have
a copy of that routine in them. This makes the programs much smaller.
The dynamic linker will search a path for those libraries. Normally
the system paths are automatically included, but the linker will also
search the paths listed in the LD_LIBRARY_PATH environment variable.
Sudo typically removes that variable. That way, I can't write a route
that does everything that the getch routine does, for example, and then
put it in a library, add the path of that library to the LD_LIBRARY_PATH
environment variable, and use sudo to run a program that will link to
that library and run _my_ code as root.
So what does this mean for you? Well, the first thing to do is to
_never_ allow the LD_LIBRARY_PATH through. Doing so allows anyone to set
it and bypass your sudo security. Sure, it takes some effort, but what's
the point in locking the doors if you leave all the windows wide open?
Usually, most programs will work just fine with the system libraries,
i.e. the ones searched by the linker by default. If you have other
libraries that need to be used, depending on your operating system,
you can get other paths to be added to the default. Just be sure the
directories you add are not world writeable, so that no one can change or
add libraries to the directories. Adding directories to the default
depends on your OS. Check the man page for ldconfig, for a start on
most OS's. (i.e. man ldconfig)
On some OS's, you can't do that. In that case, it's usually safer to
symlink the libraries into the sytem library directories.
On Mon, 26 Feb 2001, Anderson, Earle J wrote:
> I have programs that need to use "Shared Libraries." The Security Notes of
> the Sudo Manual says Sudo removes these paths. How do I setup Sudo to allow
> executed commands to use the "shared libraries?"
> The third paragraph in this section mentions "linker option" and "link Sudo
> statically." If linking is the way it's done can someone provide more
> Thank you,
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users