Linux 带有 setuid 二进制文件的 LD_PRELOAD
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9232892/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
LD_PRELOAD with setuid binary
提问by Mark Lobo
I am trying to use LD_PRELOADto preload a library with an application that has setuid permissions. Tried LD_PRELOADat first, and it seemed like it was being ignored with the setuid binary, though it was working when I tried it with others like ls, diretc.
我正在尝试使用LD_PRELOAD具有 setuid 权限的应用程序预加载库。LD_PRELOAD起初尝试过,似乎它被 setuid 二进制文件忽略了,尽管当我与其他人一起尝试时它正在工作ls,dir等等。
From the documentation of LD_PRELOAD:
从 LD_PRELOAD 的文档中:
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF shared
libraries to be loaded before all others. This can be used to
selectively override functions in other shared libraries. For set-
user-ID/set-group-ID ELF binaries, only libraries in the standard
search directories that are also set-user-ID will be loaded.
I tried to put the library in /usr/lib, /usr/local/lib, and /usr/lib64with setuid permissions as per this documentation above, but it still doesnt seem to work. If I dont give LD_PRELOADa path in the case where I have the library in the standard dirs with setuid, it cannot seem to find the library. If I give it the path, it does not do anything.
我尝试按照上面的文档将库放入/usr/lib、/usr/local/lib和/usr/lib64setuid 权限,但它似乎仍然不起作用。如果我LD_PRELOAD在带有 setuid 的标准目录中有库的情况下不提供路径,则它似乎无法找到该库。如果我给它路径,它不会做任何事情。
The setuid binary is a root permissions binary that runs in a non root user shell. Any thoughts? Not sure if I am missing a path, an environment variable, or I am misunderstanding the documentation above.
setuid 二进制文件是在非 root 用户 shell 中运行的 root 权限二进制文件。有什么想法吗?不确定我是否缺少路径、环境变量,或者我误解了上面的文档。
Edit: permissions as requested are:
编辑:请求的权限是:
Library:
图书馆:
-rwsr-sr-x 1 root root 72580 2012-02-10 07:51
App:
应用程序:
-rwsr-xr-x 1 root root 137517601 2012-02-10
env | grep LD
LD_LIBRARY_PATH=/usr/lib (I added this manually myself, usually LD_LIBRARY_PATH is empty)
回答by Christopher Neylan
Install your lib as such:
像这样安装你的库:
- location: /lib or /usr/lib
- permissions: root:root
- has setuid and setgid on
- 位置:/lib 或 /usr/lib
- 权限:root:root
- 设置了 setuid 和 setgid
Make sure LD_PRELOAD is exported to your environment
确保 LD_PRELOAD 已导出到您的环境
$ export LD_PRELOAD=/usr/lib/yourlib.so
$ env | grep LD_PRELOAD # verify
Then run your program.
然后运行你的程序。
回答by Michael Foukarakis
If you are using SELinux, this may be due to it. One of the ELF auxiliary vectors that glibc supports is AT_SECURE. This particular parameter (which is either 0 by default or 1) tells the ELF dynamic linker to unset various environment variables that are considered potentially harmful for your system. One of these is LD_PRELOAD. Normally, this environment sanitation is done when a setuid/setgid application is called (to prevent the obvious vulnerabilities). SELinux also enhanced this sanitation to whenever an application is triggering a domain transition in SELinux (say sysadm_tto mozilla_tthrough a binary labelled moz, or whatever); SELinux sets the AT_SECUREflag for the loaded application (in the example, mozilla/firefox).
如果您使用的是 SELinux,这可能是因为它。glibc 支持的 ELF 辅助向量之一是AT_SECURE. 这个特定的参数(默认为 0 或 1)告诉 ELF 动态链接器取消设置被认为对您的系统有潜在危害的各种环境变量。其中之一是LD_PRELOAD。通常,在调用 setuid/setgid 应用程序时会完成此环境清理工作(以防止出现明显的漏洞)。SELinux的也增强此卫生每当应用程序被(比如触发SELinux中域中过渡sysadm_t到mozilla_t通过一个二进制标记moz,或其他); SELinuxAT_SECURE为加载的应用程序设置标志(在示例中为 mozilla/firefox)。
The noatsecurepermission disables the environment sanitation activity for a particular transition. You can do this through the following allow statement (as it would apply on the example above):
该noatsecure权限禁用特定转换的环境卫生活动。您可以通过以下 allow 语句执行此操作(因为它适用于上面的示例):
allow sysadm_t mozilla_t:process { noatsecure };
回答by user1259893
LD_PRELOAD cannot be used with setuid. This is a security feature in linux.
For reference check this article, which goes into the detail on how to use LD_PRELOADto substitute some library calls with custom code, at the example of malloc.
LD_PRELOAD 不能与 setuid 一起使用。这是 linux 中的一个安全功能。作为参考,请查看本文,其中详细介绍了如何使用LD_PRELOAD自定义代码替换某些库调用,以malloc.
回答by Ruslan
On a system with glibc, you can preload a library using another supported way: by adding the library into /etc/ld.so.preload. This one doesn't suffer from the restrictions of LD_PRELOAD.
在带有 glibc 的系统上,您可以使用另一种支持的方式预加载库:通过将库添加到/etc/ld.so.preload. 这个不受 的限制LD_PRELOAD。
In particular, this way I was able to preload (uselessly, just to demonstrate that it works) libgtk3-nocsd.sointo /usr/bin/passwd, and, when I ran passwd ruslan, the library did show up in /proc/<PID_OF_PASSWD>/mapswhile passwdwas waiting for current password input.
特别是,这样我就能够预加载(无用的,只是为了证明它的作品)libgtk3-nocsd.so进入/usr/bin/passwd,而当我跑passwd ruslan,图书馆没有显示在/proc/<PID_OF_PASSWD>/maps同时passwd等待着当前密码输入。
One shortcoming is that you can't do this on a per-app basis like you could with LD_PRELOAD. If you really require this, maybe you could change your library to try to check whether it wants to do anything, based on what path to current process binary is (detecting it like discussed here).
一个缺点是您不能像使用LD_PRELOAD. 如果你真的需要这个,也许你可以改变你的库来尝试检查它是否想要做任何事情,基于当前进程二进制文件的路径是什么(像这里讨论的那样检测它)。
回答by Like
LD_PRELOADcan't be used with set-user-ID/set-group-ID program, except that the et-user-ID/set-group-ID program is running as the samereal and effective user and group.
LD_PRELOAD不能与 set-user-ID/set-group-ID 程序一起使用,除非 et-user-ID/set-group-ID 程序作为相同的真实有效用户和组运行。
For example, after forkand before exec*, setting
例如, afterfork和 before exec*,设置
setreuidto the owner of the set-user-ID programsetregidto the group of the set-group-ID program
setreuid给 set-user-ID 程序的所有者setregid到 set-group-ID 程序的组
