tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


Background: libpthread is tagged as not loadable by dlopen() in
NetBSD-6.0. This breaks PAM modules that are linked with -lpthread or
that dlopen() other objects linked with -lpthread. 

Real life example is: 
su-> -> -> ->
[uses pthread_mutex_t]  -> -> [uses

Possible workaround: set LD_PRELOAD=/usr/lib/ so that
libpthread is loaded at process tartup time. But that will not work with
set-UID binaries.

In that situation, and perhaps in others, it would be nice if the
administrator could configure a trusted environement for setUID
binaries. We would need a way to feed a colon-separated list of
environement variables (example:
LD_PRELOAD=/usr/lib/ I see two way of dealing
with it:
1) lookup in /etc/suenv.d/$progname (probably libc based)
2) use sysctl security.suenv.$progname (kernel based)

I like the second one, which is simple to implement and cannot be messed
up with incorrect file permissions. I would fix my problem like this:
sysctl -w
sysctl -w security.suenv.login=LD_PRELOAD=/usr/lib/

Emmanuel Dreyfus

Home | Main Index | Thread Index | Old Index