Linux – shared object file open error with “sudo command” but NOT with “sudo bash” then same command

librarieslinuxsudo

I'm having a hard time getting my brain wrapped around how LD_LIBRARY_PATH is handled differently for the following three cases:

  • run as a regular user
  • run via "sudo command"
  • run via "sudo bash" followed in the root shell by "command"

My particular problem is that a binary I'm trying to run (called dc_full) requires sudo access, but throws the following error when run as "sudo command":

ljw@test$ sudo ./dc_full 
./dc_full: error while loading shared libraries: libthrift-0.9.1.so: cannot open shared object file: No such file or directory

ljw@test$ sudo bash
root@ljw-vm1:~/test# ./dc_full
.
...<works fine here!> 
.

I have the following line in both /etc/bash.bashrc and in ~/.bashrc for user ljw.

root@ljw-vm1:~# grep LD_LIBRARY ~/.bashrc
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

root@ljw-vm1:~# grep LD_LIBRARY /etc/bash.bashrc 
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

I would expect that this covers both the sudo and sudo-bash cases, one covers the user shell and one covers the "root" shell. But clearly this is not happening.

I found references to ldd, which gives me a big hint that it's not working, but not quite WHY…

root@ljw-vm1:~/dc_full# ldd ./dc_full | grep thrift
    libthrift-0.9.1.so => /usr/local/lib/libthrift-0.9.1.so (0x00007eff19e7c000)

ljw@ljw-vm1:~/dc_full$ ldd ./dc_full | grep thrift
    libthrift-0.9.1.so => /usr/local/lib/libthrift-0.9.1.so (0x00007f8340cc5000)

ljw@ljw-vm1:~/dc_full$ sudo ldd ./dc_full | grep thrift
[sudo] password for ljw:
    libthrift-0.9.1.so => not found

How is LD_LIBRARY_PATH set in each of these three cases?

Best Answer

Allowing LD_LIBRARY_PATH for suid binaries like sudo is a security problem, thus LD_LIBRARY_PATH gets stripped out of the environment. sudo by default doesn't passthrough LD_LIBRARY_PATH to its children either for the same security concerns: carefully crafted libraries would allow you to bypass the sudo argument restrictions to execute whatever you want.

If you need a variable set like this either use sudo -E, or pass the env variables on the command line like so: sudo -- LD_LIBRARY_PATH=/usr/local/lib dc_full. sudo will have to be configured to allow you to pass environment variables, which usually does not need manual configuration.

Related Question