[sunmanagers] SUMMARY: sudo and $LD_LIBRARY_PATH

From: Robert Alexander (ra@ftn.net)
Date: Fri Dec 01 2000 - 14:30:49 CST

Hi everyone,

First, my thanks for all the timely and helpful responses from:

Shawn Brown Michael Hill
Tim Evans Michael Glasgow
Damon Cassell Nadim Dharani
Casper Dik Brett Lymn
Michael Lightfoot Alan Miller
Marco Shaw sysadmin@astro.su.se
Bismark Espinoza John D Groenveld

My original question was...
>Hi gurus,
>I installed sudo not too long ago onto an Ultra 1, and, so far, I'm
>mostly pleased with it. One problem, though; after I sudo to root
>from my login account, $LD_LIBRARY_PATH is blank. $PATH, however, is
>fine, and has the same paths as my login account.
>Any ideas on how I can retain my $LD_LIBRARY_PATH after sudo? The
>sudo man page isn't very helpful on this point... :>
>Thanks, and I'll summarize.

It was pointed out to me that the suppressing of the $LD_LIBRARY_PATH
by sudo is necessary behaviour to ensure security. From pondering
over the explanations, I now understand this.

Even when compiling software (configure|make|make install), I
shouldn't need $LD_LIBRARY_PATH if the original source has been setup
properly. Now I'll need to track down some material to read to learn
how to fix those sources that complain they can't find libraries. :>

John Groenveld provided a nice example, and a link to some good and
pertinent information about the hazards of $LD_LIBRARY_PATH:

At 12:33 -0500 2000/12/01, John D Groenveld wrote:
>Scenario: You've installed sudo and you've given access to some command to
>some user. Now that user sets his LD_LIBRARY_PATH to /path/to/histrojan/lib.
>with a libc.so that has a open(2) function that not only opens a file but also
>blanks root password. Do you see how this is a security flaw?
>sudo must override the users LD_LIBRARY_PATH. Your users shouldn't need to
>set it anyway.

And for those times when, as the admin, you want to have root's
$LD_LIBRARY_PATH available after sudoing to root, you can use:
     sudo su -

It was also pointed out to me that I was incorrect in saying that
this was not mentioned on the sudo man page; actually it is, in the
section under "Security Notes". I you don't have sudo on your
machine, Michael Lightfoot pointed out that the man page can be found
here: http://www.courtesan.com/sudo/man/sudo.html

My thanks again to everyone. Your help is much appreciated.


Robert Alexander ~~ Senior Designer/Analyst/Admin
WWW Database Applications ~~ http://www.ra1.net

"God does not subtract from one's allotted time
  on Earth those hours spent flying." --Unknown
sunmanagers mailing list

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:24 CDT