Reputation: 341
LD_PRELOAD with setuid binary
I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like it was being ignored with the setuid binary, though it was working when I tried it with others like ls, dir etc.
From the documentation of LD_PRELOAD:
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others. This can be used to
selectively override functions in other shared libraries. For set-
user-ID/set-group-ID ELF binaries, only libraries in the standard
search directories that are also set-user-ID will be loaded.
I tried to put the library in /usr/lib, /usr/local/lib, and /usr/lib64 with setuid permissions as per this documentation above, but it still doesnt seem to work. If I dont give LD_PRELOAD a path in the case where I have the library in the standard dirs with setuid, it cannot seem to find the library. If I give it the path, it does not do anything.
The setuid binary is a root permissions binary that runs in a non root user shell. Any thoughts? Not sure if I am missing a path, an environment variable, or I am misunderstanding the documentation above.
Permissions are as follows:
Library:
-rwsr-sr-x 1 root root 72580 2012-02-10 07:51
App:
-rwsr-xr-x 1 root root 137517601 2012-02-10
env | grep LD
LD_LIBRARY_PATH=/usr/lib (I added this manually myself, usually LD_LIBRARY_PATH is empty)
Upvotes: 11
Views: 25501
Answers (5)
Reputation: 1536
LD_PRELOAD can't be used with set-user-ID/set-group-ID program, except that the et-user-ID/set-group-ID program is running as the same real and effective user and group.
For example, after fork and before exec*, setting
setreuidto the owner of the set-user-ID programsetregidto the group of the set-group-ID program
Upvotes: 0
Reputation: 19140
On a system with glibc, you can preload a library using another supported way: by adding the library into /etc/ld.so.preload. This one doesn't suffer from the restrictions of LD_PRELOAD.
In particular, this way I was able to preload (uselessly, just to demonstrate that it works) libgtk3-nocsd.so into /usr/bin/passwd, and, when I ran passwd ruslan, the library did show up in /proc/<PID_OF_PASSWD>/maps while passwd was waiting for current password input.
One shortcoming is that you can't do this on a per-app basis like you could with LD_PRELOAD. If you really require this, maybe you could change your library to try to check whether it wants to do anything, based on what path to current process binary is (detecting it like discussed here).
Upvotes: 0
Reputation: 189
LD_PRELOAD cannot be used with setuid. This is a security feature in linux.
For reference check this article, which goes into the detail on how to use LD_PRELOAD to substitute some library calls with custom code, at the example of malloc.
Upvotes: 14
Reputation: 40869
If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these is LD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (say sysadm_t to mozilla_t through a binary labelled moz, or whatever); SELinux sets the AT_SECURE flag for the loaded application (in the example, mozilla/firefox).
The noatsecure permission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):
allow sysadm_t mozilla_t:process { noatsecure };
Upvotes: 5
Reputation: 8282
Install your lib as such:
- location: /lib or /usr/lib
- permissions: root:root
- has setuid and setgid on
Make sure LD_PRELOAD is exported to your environment
$ export LD_PRELOAD=/usr/lib/yourlib.so
$ env | grep LD_PRELOAD # verify
Then run your program.
Upvotes: -3
Related Questions
- How to make static linked ELF file to load LD_PRELOAD .so
- How to prevent LD_PRELOAD on a binary?
- trying to understand LD_PRELOAD and SUID/SGID with checkinstall or porg
- Why is the string specified in `LD_PRELOAD` loaded on the memory of setuid executables in RedHat 6.2?
- Using the setuid bit in Linux
- Where in the linux kernel is the handling of setuid binaries implemented?
- LD_PRELOAD does not work as expected
- Exploiting SUID files with LD_PRELOAD and IFS
- LD_PRELOAD loaded event
- Help with using LD_PRELOAD