privilege commands linking to user libraries?

Fri, 04 Apr 2008 08:55:57 PDT 

Hi there,

Guess this is the closest correct group to post.
I ran into an issue and am not sure how it happened but I believe this could be 
a security issue.

On a Solaris 10 11/06 box, I have some commands, like su, and groups, refuses 
to run because of library file issues. For example:
$ groups
ld.so.1: groups: fatal: relocation error: file /usr/lib/mps/libsoftokn3.so: 
symbol PR_GetLibraryFilePathname: referenced symbol not found
Killed

Investigation shows that  /usr/lib/mps/libsoftokn3.so was linking to some 
libraries in the users LD_LIBRARY_PATH:
ldd /usr/lib/mps/libsoftokn3.so
        libplc4.so =>    /apps/inf_si/repserver/libplc4.so  ************
        libplc4.so (NSPR_4.0) =>         (version not found)
        libplds4.so =>   /apps/inf_si/repserver/libplds4.so ************
        libplds4.so (NSPR_4.1) =>        (version not found)
        libnspr4.so =>   /apps/inf_si/repserver/libnspr4.so *************
        libnspr4.so (NSPR_4.3) =>        (version not found)
        libthread.so.1 =>        /usr/lib/libthread.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libbsm.so.1 =>   /usr/lib/libbsm.so.1
        libpthread.so.1 =>       /usr/lib/libpthread.so.1
        libposix4.so.1 =>        /usr/lib/libposix4.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libmd5.so.1 =>   /usr/lib/libmd5.so.1
        libsecdb.so.1 =>         /usr/lib/libsecdb.so.1
        libtsol.so.2 =>  /usr/lib/libtsol.so.2
        libaio.so.1 =>   /usr/lib/libaio.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libscf.so.1 =>   /usr/lib/libscf.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        libdoor.so.1 =>  /usr/lib/libdoor.so.1
        libuutil.so.1 =>         /usr/lib/libuutil.so.1
        libgen.so.1 =>   /usr/lib/libgen.so.1
        libm.so.2 =>     /usr/lib/libm.so.2
        /platform/SUNW,Netra-T12/lib/libc_psr.so.1
        /platform/SUNW,Netra-T12/lib/libmd5_psr.so.1

After I put /usr/lib/mps in front of the specified directory in the users 
LD_LIBRARY_PATH, the problem got fixed.

BUT, there are at least two issues:
1. How did /usr/lib/mps/libsoftokn3.so got linked in in the first place? It is 
not in anyones LD_LIBRARY_PATH at all so is it hard coded? That would be pretty 
bad
2. If privileged command like su get linked with user's library, we'll have a 
security issue. someone can craft a special purposed .so file and run arbitrary 
code in it. 

Am I missing something here.

Thanks,

Sean
 
 
This message posted from opensolaris.org

Reply via email to