Trusted Solaris Operating System - Technical FAQs

Question

Why can't my privileged program find the shared libraries? I get an error from ld.so.1: "fatal: application-name: open failed: No such file or directory. Killed." It appears that the application doesn't read the LD_LIBRARY_PATH.

Answer

In both the Solaris and Trusted Solaris Operating Environments, the use of LD_LIBRARY_PATH is restricted for setuid and setgid programs. In the Trusted Solaris environment, the LD_LIBRARY_PATH is also restricted for privileged programs. For setuid, setgid, and privileged programs, dynamic libraries are loaded only from trusted directories.

The Trusted Solaris environment allows the Security Administrator role to extend the list of trusted directories. The method is different in the Trusted Solaris 8 environment than it was in previous releases; both methods are detailed below.

Procedure for the Trusted Solaris 8 Operating Environment:

The Security Administrator role can add a privileged program's shared library directories to the list of trusted directories in /var/ld/ld.config. The crle(1) command is used with both the -u and -s options followed by a colon-separated list of pathnames to the library directories.

• The -u option adds the library directories specified with the -s option to any previously specified trusted directories.
• Entering crle without options displays the current trusted directories.
  
  CAUTION: Any other use of crle(1) without the -u option creates a new configuration file that overwrites the old one, and it also removes any previously existing system defaults. Use of crle(1) with any other option, without using the -u option, should only be done by experienced administrators with full understanding of the effects, because any mistakes can render your system unbootable.

To find out what libraries a program is using, anyone can use the ldd(1) command. See To Find Which Library Directories Are Used by an Application for instructions on how the Security Administrator can list the library directories used by the application. See also To Make a Library Directory Trusted for details on running crle(1).

The addition of a library directory to the list of trusted directories persists across reboots. However, if the crle(1) command is ever entered with other options, but without the -u option (perhaps by a third-party script), the entries made on the command line will be removed.

To help ensure that all library directories needed for operation of your privileged applications are configured at every reboot as trusted directories, the Security Administrator can create a boot-time script. See To Make a Library Directory Trusted for instructions on how to create such a script.

See /etc/rc2.d/S90wbem for an example of a default script that uses crle(1) to add the Java library directories needed by the Solaris Management Console software to the trusted library directories list. See /etc/init.d/README and /etc/rc2.d/README for boot script naming and numbering conventions.

Procedure for the Trusted Solaris 7 Operating Environment and Previous Releases:

The Security Administrator can create an /etc/security/tsol/rtld file, and specify in the file a colon-separated list of the library directories to be added to the list of trusted library directories.

For example, when administrators using Trusted Oracle couldn't run a privileged program that needed a library in /usr/oracle, they were told to add the /usr/oracle/lib directory to /etc/security /tsol/rtld, as shown here:

Related Documentation

For the Trusted Solaris Operating Environment, versions 2.5.1 through 7:

The Developer's Guide, " Making Shared Libraries Trusted" section and the ld(1TSOL) man page.

Trusted Solaris 2.5.1 AnswerBook listings at docs.sun.com, rtld section.

For the Trusted Solaris 8 Operating Environment:

Trusted Solaris Administrator's Procedures manual, " Adding Software" chapter.

Procedure

To Find Which Library Directories Are Used by an Application

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.
2. Remove any forced privileges assigned to the program so that ldd(1) can get the needed information.
   
   If the program does not have forced privileges, then you do not need to do the following substeps or Step 4.
   
   
   1. Check the command for forced privileges.
      
      The following example gets the list of privileges and saves them in a file. The file can be used to reset the privileges, if any, after the ldd(1) command is run.
      
      

      $ getfpriv -s -f program_name> filename

   2. 
      
   3. Remove the privileges from the program.
      
      $ setfpriv -s -f none program_name
   
   
3. Use the ldd(1) command to find out which library directories the application program is using.
   
   $ ldd program_name
   
   NOTE: The program that is using the shared libraries may be embedded in a script that calls it, so make sure you run ldd(1) on the actual program that needs the libraries.
4. If the program had forced privileges removed in step 2, add the privileges back to the program.
   
   The following example uses setfpriv to set the privileges stored in filename in Step 2.
   
   

   $ setfpriv -s -f `cat filename` program_name

   
   
5. Run the crle(1) command with the -u and -s options to add the library directories from Step 3 to the list of trusted library directories. See To Make a Library Directory Trusted for how to run crle(1M).

To Make a Library Directory Trusted: (using crle(1), in the Trusted Solaris 8 release and later)

NOTE: This procedure assumes you have found out which shared libraries need to be trusted for any privileged applications that have been added since installation. If necessary, see To Find Which Library Directories Are Used by an Application .

1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.
   
   Use the SMC Rights tool to add the crle(1) command to the Custom Secadmin Profile with a real UID 0, and a label and clearance of ADMIN_LOW.
2. Use the crle(1) command with the -u and -s options followed by a colon-separated list of pathnames to the library directories.
   
   The following screen shows entering the crle(1) command on the command line.
   
   

   $ crle -u -s [directory_1[: . . . :directory_N]

   
   
3. To regenerate the list of trusted directories at every reboot, add crle(1) to a boot-time script.
   
   1. Use the Admin Editor to create or modify a script in the /etc/init.d directory.
      
      If a privileged application already has a script, modify the existing script. Otherwise, create a new script.
      
      Caution: Do not modify any default Trusted Solaris scripts. Modify only scripts that are installed with new applications that need privileges.
      
      Following is an example crle(1) command line with the -u and -s options followed by a colon-separated list of library directories:
      

      crle -u -s directory_1[: . . . :directory_N]

   2. 
      
   3. Make a hard link from the script in the /etc/init.d directory.
   4. Use the S prefix in the target file's name for starting the script. Use the proper two-digit number in the target file's name to determine the order in which the script is executed during the run level. See the README in etc/init.d and etc/rc2.d.
      
      

      $ crle -u -s $ ln /etc/init.d/ scriptname SNNscriptname

      
      In the following example, the name of the new script in /etc/init.d is new_script, which is linked to /etc/rc2.d/S87new_script.
      
      

      $ ln /etc/init.d/new_script S87new_script

Applies to Trusted Solaris Release

2.5, 2.5.1, 7, 8