LD_PRELOAD with setuid binary

Question

I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like i

Answer 1

If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these is LD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (say sysadm_t to mozilla_t through a binary labelled moz, or whatever); SELinux sets the AT_SECURE flag for the loaded application (in the example, mozilla/firefox).

The noatsecure permission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):

allow sysadm_t mozilla_t:process { noatsecure };