adding libs in a setuid-perl script

LucBrussels has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I've ben browsing your website but can't find an answer to my problem in the related posts and answered I've been looking at.

I've compiled perl 5.12.1 and modules sybperl and Sybase::Simple under solaris 2.10.

I have scripts running on solaris 2.8 with perl 5.005 that have the setuid bit on and use sybperl to connect to a sybase database.

With the new perl/solaris version, this is not working. I can set the suid bit on on the perl script, and some stuff (like opening a protected file) work correct, but when I load the SYBASE::Simple module, it fails :

Can't load '/usr/local/test/lib/perl5/site_perl/5.12.1/sun4-solaris/auto/Sybase/CTlib/CTlib.so' for module Sybase::CTlib: ld.so.1: perl: fatal: libct.so: open failed: No such file or directory at /usr/local/test/lib/perl5/5.12.1/sun4-solaris/DynaLoader.pm line 200. at /usr/local/test/lib/perl5/site_perl/5.12.1/Sybase/Simple.pm line 19 Compilation failed in require at /usr/local/test/lib/perl5/site_perl/5.12.1/Sybase/Simple.pm line 19. BEGIN failed--compilation aborted at /usr/local/test/lib/perl5/site_perl/5.12.1/Sybase/Simple.pm line 19. Compilation failed in require at /dev/fd/3 line 8. BEGIN failed--compilation aborted at /dev/fd/3 line 8.

The script works without the suid-bit, so the file libct.so exists and can be found, but the library containing the file isn't searched.

Do you know a solution, please ?

Thanks, Luc, Brussels.

Comment on adding libs in a setuid-perl script

Replies are listed 'Best First'.
Re: adding libs in a setuid-perl script by ikegami (Patriarch) on Aug 30, 2010 at 14:58 UTC
I think libct isn't the XS component of the Perl module, but rather a C library used by the former. `use lib` won't help. I suspect the problem lies with `LD_LIBRARY_PATH`. If so, your attempt to set it only executes after the module has already been loaded. Try `BEGIN { $ENV{LD_LIBRARY_PATH} = '...'; }` [download] For some people, even that was too late. They had to do something like `BEGIN { if (!$ENV{LD_LIBRARY_PATH}) { $ENV{LD_LIBRARY_PATH} = '...'; exec($^X, $0, @ARGV); } }` [download]	[reply] [d/l] [select]
Re: adding libs in a setuid-perl script by JavaFan (Canon) on Aug 30, 2010 at 13:22 UTC
The script works without the suid-bit, so the file libct.so exists and can be found, but the library containing the file isn't searched. I think that's because in modern Perls, running with the suid bit set enables tainting. Which means that it only searches in the directories set when perl was compiled. You may want to add a `use lib "/usr/local/test/lib/perl5/site_perl/5.12.1";` [download] before using any Sybase module.	[reply] [d/l]
Re^2: adding libs in a setuid-perl script by LucBrussels (Initiate) on Aug 30, 2010 at 13:58 UTC
I've tried that without success . When I look at the error messages, the error comes from executing /usr/local/test/lib/perl5/5.12.1/sun4-solaris/DynaLoader.pm at line 200 : `my $libref = dl_load_file($file, $module->dl_load_flags) or croak("Can't load '$file' for module $module: ".dl_error());` [download] where it tries to load /usr/local/test/lib/perl5/site_perl/5.12.1/Sybase/Simple.pm. This files starts with the following code where the last line is on line 19 (the line mentioned in the error). `package Sybase::Simple; use strict; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK); require Exporter; require AutoLoader; use Carp; use Sybase::CTlib qw(:DEFAULT !ct_callback);` [download] This code generates error : Can't load '/usr/local/test/lib/perl5/site_perl/5.12.1/sun4-solaris/auto/Sybase/CTlib/CTlib.so' for module Sybase::CTlib: ld.so.1: perl: fatal: libct.so: open failed libct.so is the first library CTlib.so tries to open : $ ldd /usr/local/test/lib/perl5/site_perl/5.12.1/sun4-solaris/auto/Syb +ase/CTlib/CTlib.so libct.so => /local/sybase/sdk1251/OCS-12_5/lib//libct.so libcs.so => /local/sybase/sdk1251/OCS-12_5/lib//libcs.so libtcl.so => /local/sybase/sdk1251/OCS-12_5/lib//libtcl.so libcomn.so => /local/sybase/sdk1251/OCS-12_5/lib//libcomn.s +o libintl.so => /local/sybase/sdk1251/OCS-12_5/lib//libintl.s +o libblk.so => /local/sybase/sdk1251/OCS-12_5/lib//libblk.so libm.so.2 => /lib/libm.so.2 libc.so.1 => /lib/libc.so.1 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 /platform/SUNW,Sun-Fire-V490/lib/libc_psr.so.1 /platform/SUNW,Sun-Fire-V490/lib/libmd_psr.so.1 [download] I've added 'use lib' statements for the directories mentioned in the error messages. My script now looks like : #!/usr/local/test/bin/perl use lib "/usr/local/test/lib/perl5/site_perl/5.12.1"; use lib "/usr/local/test/lib/perl5/site_perl/5.12.1/Sybase"; use lib "/usr/local/test/lib/perl5/5.12.1/sun4-solaris"; use lib '/local/sybase/sdk1251/OCS-12_5/lib'; use lib "/usr/local/test/lib/perl5/site_perl/5.12.1/sun4-solaris/auto/ +Sybase/CTlib"; $ENV{'LD_LIBRARY_PATH'} = '/local/sybase/sdk1251/OCS-12_5/lib:/lib:/us +r/openwin/lib:/usr/ccs/l\ ib:/usr/local/lib/perl5/site_perl/5.12.1/sun4-solaris/auto/Sybase/CTli +b'; use Sybase::Simple; exit; [download] I don't know what else to do, I can try to statically link CTlib.so, but would prefer a more general solution. many thanks, Luc.	[reply] [d/l] [select]
Re^3: adding libs in a setuid-perl script by JavaFan (Canon) on Aug 30, 2010 at 15:11 UTC
If you need that setting of LD_LIBRARY_PATH, it won't have any effect, as you set it at run time, while the use happens at compile time. Try this instead: `BEGIN { $ENV{LD_LIBRARY_PATH} = "...your path goes here..."; }` [download]	[reply] [d/l]
Re: adding libs in a setuid-perl script by mpeppler (Vicar) on Aug 30, 2010 at 19:35 UTC
Luc contacted me directly first with this problem. To me it smells like something similar to the SElinux functionality. Meaning that depending on how a script is called the kernel allows loading shared lib objects from non-standard directories, or not. Unfortunately I don't know Solaris 10, and in fact I'm nowadays very much removed from any sysadmin work, so I don't really know how this might need to be changed in order to work. I don't think that the perl binary itself does anything special if it's running under setuid - and the fact that the script works when it is not running setuid would seem to indicate that things like LD_LIBRARY_PATH are in fact set correctly. Guess we need someone with Solais 10 know-how... Michael	[reply]
Re: adding libs in a setuid-perl script by LucBrussels (Initiate) on Sep 22, 2010 at 08:26 UTC
Hello, Attempts to modify $ENV{LD_LIBRARY_PATH} and/or using exec, as suggested, didn't work. I ran into the same or similar problems. Using truss i could see in which directories the system is looking for the ctlib.so file. One of the directories is /usr/lib. So I copied the sybase libraries to /usr/lib and now setting suid-bits are working as I would expect it to work. (to be complete: I should replace libct.so in the description by libsybct.so because I had to switch to open client version 15.x instead of 12.x. There has always been a library naming conflict on solaris and sybase has solved this by renaming its libraries as of version 15.0) Thanks for your contributions, Luc.	[reply]


Come for the quick hacks, stay for the epiphanies.
	PerlMonks