Saturday, April 11, 2015

Linux - LD_LIBRARY_PATH has no effect if setuid/setgid flag is turned on for executable

If you ever encounter an error "library not found" when running a executable, and, you are very sure that you had setup LD_LIBRARY_PATH correctly, you may want to check if setuid/setgid flag is turned on for the executable.

If you are not sure what is setuid and setgid flag, below are from Wikipedia setuid Topic

setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively)[1] are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories. They are often used to allow users on a computer system to run programs with temporarily elevated privileges in order to perform a specific task. While the assumed user id or group id privileges provided are not always elevated, at a minimum they are specific.
Now, the reason why executable with setgid/setgid flag turned on does not seem to pick up LD_LIBRARY_PATH environment setting is mentioned in the ld man page Environment section


A colon-separated list of directories in which to search for ELF libraries at execution-time. Similar to the PATH environment variable. Ignored in set-user-ID and set-group-ID programs.

So, this simply means that when setuid/setgid flag is turned on, the ld will ignore whatever value set in user LD_LIBRARY_PATH environment variable and use system default library path.

This is mainly for security reason. When setuid/setgid is used, it provides elevated privilege to run an executable. To prevent invoking user to have any way to alter the process, LD_LIBRARY_PATH is ignored.