Apache as non root with sudo

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Tue Jan 6 11:56:25 EST 2004 

Jamie:

As stated earlier, when you run apachectl as 'user' through sudo, the
LD_LIBRARY_PATH variable is cleared, so apachectl has no way to find the
libmm.so.11 shared library.

1.  You can create a symbolic link from /opt/ebill/app/lib/libmm.so.11 to
/usr/lib, so that normal shared library linkage will find it

or 

2.  You can compile apachectl so that the path to libmm.so.11 is included in
the linkage information.  The steps for that depend on your OS and your
compiler.

Don

-----Original Message-----
From: Jamie Bowden [mailto:jamiebowden at hotmail.com]
Sent: Tuesday, January 06, 2004 10:40 AM
To: Eric.Ladner at ChevronTexaco.com; donald.ritchey at exeloncorp.com
Cc: sudo-users at sudo.ws
Subject: RE: Apache as non root with sudo


Here is what I have:

ldd /opt/ebill/app/bin/httpd
      libsocket.so.1 =>        /usr/lib/libsocket.so.1
      libnsl.so.1 =>   /usr/lib/libnsl.so.1
      libpthread.so.1 =>       /usr/lib/libpthread.so.1
      libmm.so.11 =>   /opt/ebill/app/lib/libmm.so.11
      libdl.so.1 =>    /usr/lib/libdl.so.1
      libc.so.1 =>     /usr/lib/libc.so.1
      libmp.so.2 =>    /usr/lib/libmp.so.2
      libthread.so.1 =>        /usr/lib/libthread.so.1
      /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1

I checked the LD_LIBRARY_PATH for both the user and root - they are 
identical.
root user:
# echo $LD_LIBRARY_PATH
/opt/oracle/release/9.2.1/jdbc/lib:/opt/oracle/release/9.2.1/lib:/usr/local/
lib/:/opt/ebill/app/lib:/opt/ebill/app/lib

user
# echo $LD_LIBRARY_PATH
/opt/oracle/release/9.2.1/jdbc/lib:/opt/oracle/release/9.2.1/lib:/usr/local/
lib/:/opt/ebill/app/lib:/opt/ebill/app/lib

Any ideas on what/how root is finding this and the user isn't?

Thanks

Jamie



>From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at ChevronTexaco.com>
>To: donald.ritchey at exeloncorp.com
>CC: jamiebowden at hotmail.com, sudo-users at sudo.ws
>Subject: RE: Apache as non root with sudo
>Date: Tue, 6 Jan 2004 10:10:14 -0600
>
>
>Also, depending on your operating system, you can do a chatr
>/opt/ebill/app/bin/httpd (as in HP-UX) or ldd /opt/ebill/app/bin/httpd
>(most other Unix's) to see what it's linked aginst.  That'll help, most
>likely.
>
>Eric
>
>-----Original Message-----
>From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On
>Behalf Of donald.ritchey at exeloncorp.com
>Sent: Tuesday, January 06, 2004 9:30 AM
>To: jamiebowden at hotmail.com; sudo-users at sudo.ws
>Subject: RE: Apache as non root with sudo
>
>
>Jamie:
>
>This looks like an error in the shared library linkage with apachectl.
>Your apachectl is compiled with linkage to shared libraries that are not
>part of the standard shared library loading environment (probably
>depending on a LD_LIBRARY_PATH variable to find the library in
>question).  As a security measure to prevent spoofing sensitive set-UID
>executables, LD_LIBRARY_PATH is cleared for setUID executables when the
>real user ID is not root.
>
>Responses:
>
>1.  Move the needed library into a library that is in the standard
>library search path (in Tru64 UNIX, the loader(5) man page tells you
>what those directories are, for your OS, you may have to do some
>research to find out where these are) or extend the standard library
>search path to include the needed directory.
>
>2.  You may compile in the location of the directory containing the
>missing shared library into the apachectl executable.  Again, this is
>dependent on the OS and compilers for your environment.  Check your man
>pages for cc(1) and ld(1) for the proper options.
>
>Best wishes,
>
>Donald L. (Don) Ritchey
>E-mail:  Donald.Ritchey at exeloncorp.com
>
>-----Original Message-----
>From: Jamie Bowden [mailto:jamiebowden at hotmail.com]
>Sent: Tuesday, January 06, 2004 9:10 AM
>To: sudo-users at sudo.ws
>Subject: Apache as non root with sudo
>
>
>Hello,
>
>I have installed sudo and am wondering why I cannot get non root users
>to
>start apache when that user issues the command "sudo apachectl start"
>
>This user has been given 100% root access via sudo command.   They can
>run
>any command root can.
>
>The error message I get is:
>ld.so.1: /opt/ebill/app/bin/httpd: fatal: libmm.so.11: open failed: No
>such
>file or directory
>Killed
>/opt/ebill/app/bin/apachectl start: httpd could not be started
>
>Does sudo not give the user the same paths as root?  Root does not get
>this
>message - isn't Sudo supposed to make that user "behave" like root?
>
>Any suggestions on what else I could verify?
>
>Thanks
>
>Jamie Bowden
>www.atl.bluecross.ca
>
>_________________________________________________________________
>Protect your PC - get McAfee.com VirusScan Online
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>************************************************************************
>This e-mail and any of its attachments may contain Exelon Corporation
>proprietary information, which is privileged, confidential, or subject
>to copyright belonging to the Exelon Corporation family of Companies.
>This e-mail is intended solely for the use of the individual or entity
>to which it is addressed.  If you are not the intended recipient of this
>
>e-mail, you are hereby notified that any dissemination, distribution,
>copying, or action taken in relation to the contents of and attachments
>to this e-mail is strictly prohibited and may be unlawful.  If you have
>received this e-mail in error, please notify the sender immediately and
>permanently delete the original and any copy of this e-mail and any
>printout. Thank You.
>************************************************************************
>
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users
>
>

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin
.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca


************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.
************************************************************************

More information about the sudo-users mailing list