ld.so.preload root read only?

Support for the other architectures (X86_64, IA-64, and PowerPC)
zdn3023
Posts: 8
Joined: 2014/02/10 22:01:44

ld.so.preload root read only?

Postby zdn3023 » 2014/02/10 22:19:54

hello everyone,
It happened recently that when running a scientific program , we were getting the following error message: ERROR: ld.so: object '/lib/libl.so' from /etc/ld.so.preload cannot be preloaded: ignored.

I believe some recent update caused the error, but I don't know how to find that out. So, i wanted to open the ld.so.preload file and mark out the only line /lib/libl.so, and I realized that this file was read only, even when I logged in as root.

I wonder
(1) How I can modify ld.so.preload? By searching internet, I know that ld.so.preload is editable in some other linux systems.
(2) What (update) might have caused this error? It did not happen until recently...to all three CentOS computers.

Thank you,

DZ

User avatar
TrevorH
Forum Moderator
Posts: 21728
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ld.so.preload root read only?

Postby TrevorH » 2014/02/10 22:40:37

Nothing in CentOS supplies that file so I suspect it was created by one of your fellow admins. Perhaps they wanted it left alone so marked it immutable? man lsattr and man chattr might help
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

zdn3023
Posts: 8
Joined: 2014/02/10 22:01:44

Re: ld.so.preload root read only?

Postby zdn3023 » 2014/02/11 17:28:32

After further research, I found out libl.so, ld.so.preload, and the following files were generated/modified all at the same time:

$ ls -la /lib/libl.so
-rwxr-xr-x 1 root root 34951 Feb 3 18:50 /lib/libl.so

$ ls -la /etc/ld.so.preload
-rw-r--r-- 1 root root 13 Feb 3 18:50 /etc/ld.so.preload

$ ls -la /lib/security/pam_unix*
lrwxrwxrwx 1 root root 11 Jan 23 15:01 pam_unix_acct.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 Jan 23 15:01 pam_unix_auth.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 Jan 23 15:01 pam_unix_passwd.so -> pam_unix.so
lrwxrwxrwx 1 root root 11 Jan 23 15:01 pam_unix_session.so -> pam_unix.so
-rwxr-xr-x 1 root root 163009 Feb 3 18:50 pam_unix.so

Does anyone have an idea what was going on? Or how can I trace this shared library libl.so?

my computer has CentOS 5.10
$ uname -a
Linux xxxx 2.6.18-371.4.1.el5 #1 SMP Thu Jan 30 06:08:24 EST 2014 x86_64 x86_64 x86_64 GNU/Linux


Thank you,

DZ

User avatar
TrevorH
Forum Moderator
Posts: 21728
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ld.so.preload root read only?

Postby TrevorH » 2014/02/11 17:57:55

As far as I can see, nothing in CentOS supplies libl.so either

Code: Select all

# yum provides '*/libl.so'
Loaded plugins: changelog, downloadonly, priorities
276 packages excluded due to repository priority protections
epel/filelists_db                                                         | 5.7 MB     00:01     
updates/filelists_db                                                      | 1.3 MB     00:00     
No Matches found


Google seems to think it's part of lex but about now I'd be starting to get suspicious...
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

zdn3023
Posts: 8
Joined: 2014/02/10 22:01:44

Re: ld.so.preload root read only?

Postby zdn3023 » 2014/02/11 18:40:48

Very strange! happened to three of my computers, and showed the same modification time and date. I also searched and couldn't find it relating to CentOS. The vender of the scientific program we are running also told me that that is not part of their program.

Anyway, I finally was able to change the attribute of ld.so.preload, then mark out libl.so, which solved the problem. However, please add your comments if you find anything new.

Thank you,

DZ

User avatar
GabyB
Posts: 7
Joined: 2013/12/04 15:39:24

Re: ld.so.preload root read only?

Postby GabyB » 2014/02/24 10:08:22

zdn3023 wrote:
Does anyone have an idea what was going on? Or how can I trace this shared library libl.so?



Perhaps you may try objdump -T --demangle /lib/libl.so if the symbols are related to the flex tool

But as this File belongs neither to Centos or your scientific program and iff all other software you installed from rpm packages
the best solution is probably to remove /lib/libl.so and /etc/1d.so. preload as it may belong to a hacker attack. Mainly because
-rwxr-xr-x 1 root root 163009 Feb 3 18:50 pam_unix.so
-rwxr-xr-x 1 root root 34951 Feb 3 18:50 /lib/libl.so
acces happenden at the same time.
You should also verify the pam packeage with 'rpm -V pam'
# rpm -V pam
....L... c /etc/pam.d/system-auth
....L... c /etc/pam.d/system-auth

The checksum with sha256sum of /lib/security/pam_unix.so is on three of my CentOS-5.10 systems:
$ sha256sum /lib/security/pam_unix.so
2cc62da7ef92e650439d30507bae9d6e9d2c428d41b1524cb24315f285ffdda6 /lib/security/pam_unix.so