如何使用$ORIGIN和suid应用程序?
我正在使用启用了 setcap CAP_NET_RAW 的 python。我的 python 脚本导入一个共享库,该库的 RPATH 中有 $ORIGIN。由于我的 python 现在是一个 suid 应用程序,因此未评估 $ORIGIN 并且库未正确加载(这是由于 安全性glibc 中发现泄漏)。 有没有办法告诉链接器我的库路径是安全的并无论如何加载库?
还有几点说明:
- 我只在开发阶段需要这个功能。我不是在寻找生产解决方案。
- 当以 root 身份工作时,一切正常。
- 我不想以 root 身份工作。
谢谢, 戴夫
I'm using python with setcap CAP_NET_RAW enabled. My python script imports a shared library which has $ORIGIN in its RPATH. Since my python is now a suid app, $ORIGIN is not evaluated and the library does not load correctly (this is due to a security leak found in glibc ).
Is there a way to tell the linker that my library path is secure and load the library anyway?
A few more notes:
- I only need this feature in the development stage. I'm not looking for a production solution.
- When working as root, everything works.
- I do not want to work as root.
Thanks,
Dave
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以尝试其中之一。考虑
$ORIGINrpath 引用后的绝对路径名。告诉 ldconfig 在哪里找到您的库后重新运行 ldconfig
如果不能以 root 身份运行,请在每次执行进程时使用正确的目录导出 LD_LIBRARY_PATH
You can try one of these. Consider that
<path-to-mylib>is the absolute pathname after solving the$ORIGINrpath reference.Re-run ldconfig after telling it where to find your library
If running things as root is not an option, export LD_LIBRARY_PATH with the correct directory for every execution of the process
你尝试过须藤吗?
在开发过程中使用固定路径而不是 $ORIGIN,因为它们将在 setuid 程序上工作。不要更改您的主要构建过程,只需使用 patchelf 将 rpath 设置为您需要的即可。您可以制作一个 shell 脚本,执行以下操作:
然后您的二进制文件将不再搜索 $ORIGIN/../lib 而是 /devel/myprog/lib/../lib
Did you try sudo?
Instead of $ORIGIN, use fixed paths during development because they will work on setuid programs. Don't change your main build process, just use patchelf to set the rpath to what you need. You could make a shell script which does something like:
Then your binary will no longer search $ORIGIN/../lib but /devel/myprog/lib/../lib