LD_PRELOAD 与 setuid 二进制文件
我正在尝试使用 LD_PRELOAD 来预加载具有 setuid 权限的应用程序的库。起初尝试了 LD_PRELOAD ,似乎它被 setuid 二进制文件忽略了,尽管当我尝试与其他人一起使用它时,例如 ls , dir< /code> 等。
从 LD_PRELOAD 的文档中:
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others. This can be used to
selectively override functions in other shared libraries. For set-
user-ID/set-group-ID ELF binaries, only libraries in the standard
search directories that are also set-user-ID will be loaded.
我尝试将库放入 /usr/lib、/usr/local/lib 和 /usr /lib64 与按照上面的文档设置了 setuid 权限,但它似乎仍然不起作用。如果我没有给 LD_PRELOAD 一个路径,在我将库放在带有 setuid 的标准目录中的情况下,它似乎找不到该库。如果我给它路径,它不会做任何事情。
setuid 二进制文件是在非 root 用户 shell 中运行的 root 权限二进制文件。有什么想法吗?不确定我是否缺少路径、环境变量,或者我误解了上面的文档。
权限如下:
库:
-rwsr-sr-x 1 root root 72580 2012-02-10 07:51
应用程序:
-rwsr-xr-x 1 root root 137517601 2012-02-10
env | grep LD
LD_LIBRARY_PATH=/usr/lib (I added this manually myself, usually LD_LIBRARY_PATH is empty)
I am trying to use LD_PRELOAD to preload a library with an application that has setuid permissions. Tried LD_PRELOAD at first, and it seemed like it was being ignored with the setuid binary, though it was working when I tried it with others like ls, dir etc.
From the documentation of LD_PRELOAD:
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others. This can be used to
selectively override functions in other shared libraries. For set-
user-ID/set-group-ID ELF binaries, only libraries in the standard
search directories that are also set-user-ID will be loaded.
I tried to put the library in /usr/lib, /usr/local/lib, and /usr/lib64 with setuid permissions as per this documentation above, but it still doesnt seem to work. If I dont give LD_PRELOAD a path in the case where I have the library in the standard dirs with setuid, it cannot seem to find the library. If I give it the path, it does not do anything.
The setuid binary is a root permissions binary that runs in a non root user shell. Any thoughts? Not sure if I am missing a path, an environment variable, or I am misunderstanding the documentation above.
Permissions are as follows:
Library:
-rwsr-sr-x 1 root root 72580 2012-02-10 07:51
App:
-rwsr-xr-x 1 root root 137517601 2012-02-10
env | grep LD
LD_LIBRARY_PATH=/usr/lib (I added this manually myself, usually LD_LIBRARY_PATH is empty)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
LD_PRELOAD 不能与 setuid 一起使用。这是Linux 中的一项安全功能。
如需参考,请查看本文,以
malloc为例,详细介绍了如何使用LD_PRELOAD用自定义代码替换某些库调用。LD_PRELOAD cannot be used with setuid. This is a security feature in linux.
For reference check this article, which goes into the detail on how to use
LD_PRELOADto substitute some library calls with custom code, at the example ofmalloc.如果您使用 SELinux,这可能是由于它。 glibc 支持的 ELF 辅助向量之一是 AT_SECURE。这个特定的参数(默认为 0 或 1)告诉 ELF 动态链接器取消设置被认为对系统可能有害的各种环境变量。其中之一是
LD_PRELOAD。通常,这种环境清理是在调用 setuid/setgid 应用程序时完成的(以防止明显的漏洞)。 SELinux 还增强了这种卫生功能,每当应用程序触发 SELinux 中的域转换(例如通过标记为moz的二进制文件将sysadm_t转换为mozilla_t或其他任何内容) ); SELinux 为加载的应用程序设置 AT_SECURE 标志(在示例中为 mozilla/firefox)。noatsecure权限禁用特定转换的环境清理活动。您可以通过以下允许语句来执行此操作(因为它适用于上面的示例):If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is
AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these isLD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (saysysadm_ttomozilla_tthrough a binary labelledmoz, or whatever); SELinux sets theAT_SECUREflag for the loaded application (in the example, mozilla/firefox).The
noatsecurepermission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):在使用 glibc 的系统上,您可以使用另一种受支持的方式预加载库:将库添加到
/etc/ld.so.preload中。这个不受LD_PRELOAD的限制。特别是,通过这种方式,我能够将
libgtk3-nocsd.so预加载(无用,只是为了证明它有效)到/usr/bin/passwd中,并且,当我运行了passwd ruslan,该库确实出现在/proc//maps 中,而passwd正在等待当前密码输入。一个缺点是您无法像使用
LD_PRELOAD那样针对每个应用执行此操作。如果您确实需要这个,也许您可以更改您的库,以尝试根据当前进程二进制文件的路径来检查它是否想做任何事情(像讨论的那样检测它这里)。On a system with glibc, you can preload a library using another supported way: by adding the library into
/etc/ld.so.preload. This one doesn't suffer from the restrictions ofLD_PRELOAD.In particular, this way I was able to preload (uselessly, just to demonstrate that it works)
libgtk3-nocsd.sointo/usr/bin/passwd, and, when I ranpasswd ruslan, the library did show up in/proc/<PID_OF_PASSWD>/mapswhilepasswdwas waiting for current password input.One shortcoming is that you can't do this on a per-app basis like you could with
LD_PRELOAD. If you really require this, maybe you could change your library to try to check whether it wants to do anything, based on what path to current process binary is (detecting it like discussed here).LD_PRELOAD不能与 set-user-ID/set-group-ID 程序一起使用,除非 et-user-ID/set-group-ID 程序运行时相同真实有效的用户和群体。例如,在
fork之后和exec*之前,将setreuid设置setregidcode> 到 set-group-ID 程序的组LD_PRELOADcan't be used with set-user-ID/set-group-ID program, except that the et-user-ID/set-group-ID program is running as the same real and effective user and group.For example, after
forkand beforeexec*, settingsetreuidto the owner of the set-user-ID programsetregidto the group of the set-group-ID program按如下方式安装您的库:
确保 LD_PRELOAD 导出到您的环境
然后运行您的程序。
Install your lib as such:
Make sure LD_PRELOAD is exported to your environment
Then run your program.