Trusted Solaris Administrator's Procedures

Making Libraries Trusted

When a privileged program cannot find the libraries it requires, it fails with an error like the following:


ld.so.1: fatal: application-name: open failed: No such file or directory. 
Killed.

The Security Administrator role can add a privileged program's shared library directories to the list of trusted directories in /var/ld/ld.config. The crle(1) command must be used with both the -u and -s options followed by a colon-separated list of pathnames to the library directories.

The ldd(1) command lists the libraries that are used by a program. See "To Make a Library Directory Trusted" for how the Security Administrator can check for the library directories used by the application and run crle to add them to the trusted directories list.

The addition of a library directory to the list of trusted directories persists across reboots. However, if the crle command is ever entered with other options but without the -u option (perhaps by a third party script), any entries made on the command line will be removed.

To help ensure that all library directories needed for your privileged applications are configured as trusted directories at every reboot, the Security Administrator can create a boot-time script. See "To Make a Library Directory Trusted" for how to create such a script.

See /etc/rc2.d/S90wbem for an example of adding the JAVA library directories needed by the SMC to the trusted library directories list. See /etc/init.d/README and /etc/rc2.d/README for naming and numbering conventions for boot scripts.


Note -

By default, boot scripts run with the system shell and with a real UID of 0 at ADMIN_LOW.


Also see the ld(1) man page for information on the link editor for object files.