SUMMARY: su looses path, default environment settings, LD_LIBRARY_PATH

From: Mark Fergusson (MFerg@ddntl.didata.co.za)
Date: Thu Aug 01 1996 - 06:11:44 CDT


I received some very intersting info, and to my amazement many comments
about
LD_LIBRARY_PATH which I have seen in lots of commercial and public
software. (?)

Q1.
"On Solaris 2.4, when I su to root, how can I inherit the path of the
MFerg> user that I su'd from, including if possible the complete
environment ?"
Q2.
How can I set up default shell variables for the entire system/users ?.
I particularly want to set the LD_LIBRARY_PATH which frequenty gives
errors if not set.

Q1.
The command "su" essentially keeps your environment and allows you to
inherit
the real and effective user id and group id and the default shell, but
you
keep your original environment otherwise. if you execute the command
"su -"
then you get root's environment.

BUT ...

The reason that the user paths are not propogated through su is that it
would
constitute an enormous security hole. A spoof version of a system
program placed
in a user path could be inadvertantly invoked by the superuser. This
could
open up a future path for cracking the system. The same applied to
dynamic
libraries.

Q2.
How can I set up default shell variables for the entire system/users ?.
I particularly want to set the LD_LIBRARY_PATH which frequenty gives
errors if not set.

A. How can I set up default shell variables for the entire system/users
?.

1.You probably want to set all the variables you need :

        1. For sh and ksh users in /etc/profile
        2. For csh users in /etc/.login

        These files are executed by everybody before any of the local dot files
are interpreted.

2. you can set any default variables for users in /etc/profile. it is
the same as the user's $HOME/.profile, except it is sourced first,
followed by $HOME/.profile, so that the latter may override values
set in the former, if desired.

3. you can set root's path in /etc/default/login.

4. Create a "local.cshrc" file in /usr/local/etc (or some other
convenient place), which contain
your system-wide variable. Next, write a script to modify each user's
$HOME/.cshrc, adding the line "source /usr/local/etc/local.cshrc".

B. I particularly want to set the LD_LIBRARY_PATH which frequenty gives
errors if not set

1. We do *not* set LD_LIBRARY_PATH for any reason. Anything that
requires it to be set is broken. We either don't use it,
recompile/relink it or put a shell script wrapper around it. Setting
LD_LIBRARY_PATH just causes problems. Support the
campaign to stamp it
out :-)

2. Bad plan. You should *NEVER* set LD_LIBRARY_PATH except for the
handful of applications which for some reason require it (ie, dynamic
libraries are not installed in standard locations and you cannot relink
with the - -R switch or the LD_RUN_PATH variable set). And when you do
set it, you should do so in a wrapper script which immediately unsets
the variable when the program is finished.

LD_LIBRARY_PATH overrides the default search path for finding libraries.
"Overrides" is the operative term; it does not append or prepend to the
path, it overrides it completely. If you globally set it, you will
encounter more problems than you fix as many programs will be unable to
find their own shared libraries, or even system libraries.

3. You can't set LD_LIBRARY_PATH and pass it through su.

Thank you to everybody who contributed.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:06 CDT