[sudo-users] env_keep and LD_LIBRARY_PATH

Jan Albrecht jan.albrecht at gmail.com
Sun Dec 10 07:43:23 EST 2006 

Hi,

as far as I can tell from my experience:
LD_LIBRARY_PATH is deleted by the glibc of linux (su execution). This
does not happen i.e. on Solaris.
We've tried some options and the only one was to cache out the
enviroment (with all path vars), do a sudo and resource the whole
envoriment. Not even very secure but does work.

Jan

Angelo Primavera wrote:
> Micheal,  
>
> well , I need to define sudo profiles (for instance HELP_DESK) so that  a user can run some commands as root, some others as db and some 
> others else as application user and I want that all commands executed by this user are logged (obviously for security reason the user does 
> not know root,db and application passwords !). Moreover system administrators does not want to modify what is already up.
> I think SUDO is  the solution: faster to apply and not intrusive. 
> The problem is that one of these commands is a database application console that unfortunately requires library located in a non standard path.
>
> Another solution may be to create links for needed library on standard path.... and make administrator to put up with this solution.
>
> Angelo
>
>
>   ----- Original Message ----- 
>   From: Michael Potter 
>   To: Angelo Primavera 
>   Cc: sudo-users at sudo.ws 
>   Sent: Thursday, December 07, 2006 3:42 AM
>   Subject: Re: [sudo-users] env_keep and LD_LIBRARY_PATH
>
>
>   Angelo,
>
>   I suspect this is the correct one:
>   Default env_delete-=LD_LIBRARY_PATH
>   except, Linux is probably reseting LD_LIBRARY_PATH before it runs sudo or any other setuid program.
>
>   Tell us more about what you are trying to do: 
>   Why are you trying to run a program as root with libraries in non-standard locations?
>
>   One patch to sudo that I think would be easy to do, safe, and useful, would be this:
>   Default setenv+=LD_LIBRARY_PATH=/usr/lib:/lib:/non/std/but/safe/lib 
>
>   Todd, can you comment?
>
>   As for wrapper scripts being too annoying, how about this:
>   ------------------------
>   #!/bin/bash
>
>   if [[ $SUDO_USER == "" ]]
>   then
>      exec sudo $*
>      exit 1 # exit if exec fails. 
>   fi
>
>   # put commands here.
>   ------------------------
>
>   That way the wrapper script is also a short cut for running sudo.
>
>   That is just a thought; I have not done that.  I would be interested in community commenting on security aspects of that. 
>
>   -- 
>   Michael Potter
>
>
>   On 12/6/06, Angelo Primavera <a.primavera at quipo.it> wrote: 
>     Hi all,
>
>     I have read some posts about how to  keep the LD_LIBRARY_PATH variable and the answer seams to be of two type:
>
>         use a command wrapper
>
>         use the Default setting for env_delete/env_keep.
>
>
>
>     I 'm using sudo 1.6.8p12 on Linux redhat 7.3 and I would like to avoid the wrapper ( system user are already annoyed  using "sudo" command!) so I've tried each of next options :
>
>         Default env_delete-=LD_LIBRARY_PATH 
>
>         Default env_delete-=LD_*
>
>         Default env_keep+=LD_LIBRARY_PATH
>
>         Default env_keep+=LD_*
>
>     Unfortunately none of them works.
>
>
>
>     My question is:
>
>         env_delete /env_keep options are applicable to LD_LIBRARY_PATH? If yes, what is wrong with my settings? 
>
>
>
>     Thank you in advance
>
>
>
>     Angelo
>
>     ____________________________________________________________
>     sudo-users mailing list <sudo-users at sudo.ws>
>     For list information, options, or to unsubscribe, visit:
>     http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>

More information about the sudo-users mailing list