问题
I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like it was being ignored with the setuid binary, though it was working when I tried it with others like ls, dir etc.
From the documentation of LD_PRELOAD:
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others. This can be used to
selectively override functions in other shared libraries. For set-
user-ID/set-group-ID ELF binaries, only libraries in the standard
search directories that are also set-user-ID will be loaded.
I tried to put the library in /usr/lib, /usr/local/lib, and /usr/lib64 with setuid permissions as per this documentation above, but it still doesnt seem to work. If I dont give LD_PRELOAD a path in the case where I have the library in the standard dirs with setuid, it cannot seem to find the library. If I give it the path, it does not do anything.
The setuid binary is a root permissions binary that runs in a non root user shell. Any thoughts? Not sure if I am missing a path, an environment variable, or I am misunderstanding the documentation above.
Edit: permissions as requested are:
Library:
-rwsr-sr-x 1 root root 72580 2012-02-10 07:51
App:
-rwsr-xr-x 1 root root 137517601 2012-02-10
env | grep LD
LD_LIBRARY_PATH=/usr/lib (I added this manually myself, usually LD_LIBRARY_PATH is empty)
回答1:
LD_PRELOAD cannot be used with setuid. This is a security feature in linux.
For reference check this article, which goes into the detail on how to use LD_PRELOAD to substitute some library calls with custom code, at the example of malloc.
回答2:
If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these is LD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (say sysadm_t to mozilla_t through a binary labelled moz, or whatever); SELinux sets the AT_SECURE flag for the loaded application (in the example, mozilla/firefox).
The noatsecure permission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):
allow sysadm_t mozilla_t:process { noatsecure };
回答3:
On a system with glibc, you can preload a library using another supported way: by adding the library into /etc/ld.so.preload. This one doesn't suffer from the restrictions of LD_PRELOAD.
In particular, this way I was able to preload (uselessly, just to demonstrate that it works) libgtk3-nocsd.so into /usr/bin/passwd, and, when I ran passwd ruslan, the library did show up in /proc/<PID_OF_PASSWD>/maps while passwd was waiting for current password input.
One shortcoming is that you can't do this on a per-app basis like you could with LD_PRELOAD. If you really require this, maybe you could change your library to try to check whether it wants to do anything, based on what path to current process binary is (detecting it like discussed here).
回答4:
Install your lib as such:
- location: /lib or /usr/lib
- permissions: root:root
- has setuid and setgid on
Make sure LD_PRELOAD is exported to your environment
$ export LD_PRELOAD=/usr/lib/yourlib.so
$ env | grep LD_PRELOAD # verify
Then run your program.
来源:https://stackoverflow.com/questions/9232892/ld-preload-with-setuid-binary