Programming

hi all,

i have a critical and specific problem with respect to set uid bit on user and the dll's

for a binary, (under the userid A)
it needs libraries from /usr/lib and informix libraries from $INFORMIXDIR/lib/esql

but this binary should be kicked off from id B,
hence s-bit on user is set for the binary

after setting the s-bit on the binary and the dynamic dependencies and shared objects are listed using ldd,
i could see only the libraries from default directory /usr/lib/ are listed and not from the INFORMIX library paths.

when searched in search engine about this, found that
due to security reasons for a binary for which set bit is set on the user or group the dynamic dependencies will not be included.

can you please provide me a pointer on how to handle this ?

I don't quite understand what you are trying to say. Are you saying that on running ldd, you aren't seeing all the libraries that the program should be linked to?

If the binary has been linked with the libraries while compiling, then it should show up on running ldd.

yes upon running ldd, all the libraries that are to be linked are not displayed...

here is the display

note below s-bit on user for bin is not set
displaying the libraries linked below
note below s-bit on user for bin is now set
displaying the libraries that are currently linked below
hope i have made it clear now

Knowing which OS you are using would be nice...I'm guessing Solaris? Do not rely on LD_LIBRARY_PATH to find stuff. When you run ld to produce bin you can specify what libraries to search. Do that and use absolute pathnames as you do. If that doesn't work, there are more complex arguments to ld that will nail a symbol to a particular library. I believe that one of these will probably work. The issue is allowing a malicious user the ability to change an environment variable to insert random code into the executable. Once you are no longer relying on an environment variable, I would expect it work. The options you need will be on your OS's ld man page.

i missed out that

solaris 5.9

the issue is just not displaying the dynamic dependencies...
as ldd is not able to list them all with the s-bit set for the binary...

naturally am not able to run the binary also,
ld.so.1 linker fails to locate the necessary libs

the issue is ---> "without s-bit it works perfect.. when s-bit is set that it crashes"

on a truss for that binary.. there is a pipe error from ld.so.1 as displayed by the system call tracer

i dont know how using the other options of ldd would help me to locate the dependencies of the binary for which s-bit is set...

hope i have made my problem clear...

ld built (different program than ldd) actually built your bin program just as it builds every executable. ld built it in a way that will not work when suid. You need to change the way ld builds your program. ld may be invoked automatically by the compiler. You may be able to control ld from you compilers command line. But I would use separate compile and link steps.