Controlling the LIBPATH environment variable under AIX.

Jean-Marc Monnez monnez.jean-marc at agora.msa.fr
Fri Oct 5 04:56:30 EDT 2001 

Reinitializing of LIBPATH for all executables that have the setuid bit (sudo
does have the setuid) is a system security already implemented in AIX. Even if
sudo didn't clear LIBPATH, AIX would have done it before because of the suid
bit.
Imagine somebody writing a very "personal" libc.a with same entry points, but
with totally different code. Then the guy sets his
LIBPATH=/dir_with_own_libc:$LIBPATH and he launches an innocent root owned
command with suid bit. All calls to dynamic libc.a would be executed in his own
libc.a. To avoid this kind of risk, AIX resets LIBPATH.

What you may do to turn around this :
1) give the users the right to execute a script where you position LIBPATH with
correct value, then launch the app from the script.
2) or give the users the right to start : sudo LIBPATH=<what you need>
application

HTH

-- JMM

imarsha6 at csc.com.au wrote :

> G'day all,
>
> On the system that we are using, our developers and operators require
> access to start and stop processes as a central (non-root) user, for which
> we don't want to distribute the password.  Unfortunately, the security
> feature of sudo on AIX to clear the LIBPATH environment variable is causing
> some of the programs to fail on library dependencies.
>
> After much searching through documentation, I have been unable to find a
> way to disable this behaviour. The optimum solution for us would to have a
> flag that we can specify in the "sudoers" file on a per-command basis that
> enables the pass-through of the LIBPATH information. This variable would be
> off by default (to match the current behaviour.) I do not believe that (if
> used properly) this would introduce a major security risk (please inform me
> if this is not the case!)
>
> Is it possible to achieve the above requirements, preferably without
> writing C code? If not, is there an alternative or workaround that will
> allow this?
>
> Thanks in advance,
>
> Ian Marshall
> System Administrator
> Computer Sciences Corporation
> 476 Victoria Road, Gladesville NSW 2111
> Tel: +61 (2) 9816 9798    Fax: +61 (2) 9816 9700
> E-mail: imarsha6 at csc.com.au
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe, visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users

More information about the sudo-users mailing list