Re: Problems with shared libraries on Solaris
From: Stefaan A Eeckels (tengo_at_DELETEMEecc.lu)
Date: 04/18/04
- Previous message: William Park: "Re: Matching an unknown string starting with a known one"
- In reply to: Eyal Goren: "Re: Problems with shared libraries on Solaris"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 18 Apr 2004 00:44:12 +0200
On 17 Apr 2004 09:34:17 -0700
eyal_goren@bmc.com (Eyal Goren) wrote:
> I want to put the Oracle libs in a directory under my application home
> directory.
Why? When Oracle is installed on a system, its libraries
are installed under the Oracle installation directory.
If you need them in a place known to your application,
use a symlink.
> Today, since we don't know how to do it, we put it under /opt, and
> specify hard coded in the Makefile '-R /opt/...'.
That's the standard place to put third-party packages on
Solaris. Sun does it, you should do so as well.
> Now, since I don't know where would my application be installed (under
> /home ???) I can not be dynamically in the Makefile, and have to use a
> special location.
OK, since you're using Oracle, you're forced to use
shared libraries. How to access them from a set[gu]id
program is normally a matter for local policy, but a
symlink from your installation directory to the Oracle
libraries isn't a bad solution. I don't think that you
should support package installations outside the /opt
hierarchy for a commercial product. It's what admins
expect.
A couple of observations:
- you can provide several paths in the -R directive
(or repeat it), so you can ensure that the software
will run from a number of installation points (such
as /opt/yourprod and /usr/local/yourprod)
- $ORIGIN doesn't make a library path secure, so
the moment you require set[gu]id, it's not a solution
- -R with an absolute path name _does_ make the
path secure:
$ id
uid=10001(Rtest) gid=10001(Rtest)
$ ls -l vfsdir vfscopy
-rwxr-sr-x 1 sae staff 204800 Apr 18 00:12 originprog
-rwxr-sr-x 1 sae staff 212992 Apr 18 00:11 absoluteprog
$ ldd -s originprog
find object=libutil.so; required by originprog
search path=$ORIGIN/../lib (RPATH from file originprog)
ignore path=/home/sae/lib (insecure directory name)
$ ldd -s absoluteprog
find object=libutil.so; required by absoluteprog
search path=/home/sae/lib (RPATH from file absoluteprog)
trying path=/home/sae/lib/libutil.so
libutil.so => /home/statel/lib/libutil.so
Obviously, if your program requires set[gu]id privileges,
you might want to reconsider - it's usually unnecessary.
Take care,
-- Stefaan -- "What is stated clearly conceives easily." -- Inspired sales droid
- Previous message: William Park: "Re: Matching an unknown string starting with a known one"
- In reply to: Eyal Goren: "Re: Problems with shared libraries on Solaris"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
