发表新帖
发表新帖

LD_PRELOAD with setuid binary

前端 未结
关注
5 611
野性不改
野性不改 2020-12-17 19:55

I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like i

相关标签:
5条回答
  • 广开言路
    2020-12-17 20:15

    LD_PRELOAD can't be used with set-user-ID/set-group-ID program, except that the et-user-ID/set-group-ID program is running as the same real and effective user and group.

    For example, after fork and before exec*, setting

    • setreuid to the owner of the set-user-ID program
    • setregid to the group of the set-group-ID program
    0 讨论(0)
  • 天涯浪人
    2020-12-17 20:33

    If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these is LD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (say sysadm_t to mozilla_t through a binary labelled moz, or whatever); SELinux sets the AT_SECURE flag for the loaded application (in the example, mozilla/firefox).

    The noatsecure permission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):

    allow sysadm_t mozilla_t:process { noatsecure };
    0 讨论(0)
  • 梦如初夏
    2020-12-17 20:34

    LD_PRELOAD cannot be used with setuid. This is a security feature in linux. For reference check this article, which goes into the detail on how to use LD_PRELOAD to substitute some library calls with custom code, at the example of malloc.

    0 讨论(0)
  • 广开言路
    2020-12-17 20:38

    On a system with glibc, you can preload a library using another supported way: by adding the library into /etc/ld.so.preload. This one doesn't suffer from the restrictions of LD_PRELOAD.

    In particular, this way I was able to preload (uselessly, just to demonstrate that it works) libgtk3-nocsd.so into /usr/bin/passwd, and, when I ran passwd ruslan, the library did show up in /proc/<PID_OF_PASSWD>/maps while passwd was waiting for current password input.

    One shortcoming is that you can't do this on a per-app basis like you could with LD_PRELOAD. If you really require this, maybe you could change your library to try to check whether it wants to do anything, based on what path to current process binary is (detecting it like discussed here).

    0 讨论(0)
  • 自闭症患者
    2020-12-17 20:38

    Install your lib as such:

    • location: /lib or /usr/lib
    • permissions: root:root
    • has setuid and setgid on

    Make sure LD_PRELOAD is exported to your environment

    $ export LD_PRELOAD=/usr/lib/yourlib.so
$ env | grep LD_PRELOAD  # verify

    Then run your program.

    0 讨论(0)
 看不清?
提交回复
热议问题