9 Replies Latest reply: Jan 6, 2010 2:19 PM by alan.pae RSS

    sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai

    807567
      If sudo is run as root user, the command/sudo runs well. But if I run sudo as an ordinary user
      other than root (sudo is intended for :), I got an error message like:

           ld.so.1: sudo: fatal: libintl.so.8: open failed: No such file or directory

      Typical user env for pathes:

           set | grep PATH
           CLASSPATH=/usr/local/java1.6/jre1.6.0_02/lib:
           LD_LIBRARY_PATH=/lib:/usr/local/lib:/usr/dt/lib:/usr/ucblib:/prog/oracle/product/9.2.0/lib32
           MANPATH=:/usr/share/man:/opt/samba/man
           PATH=/usr/local/java1.6/jre1.6.0_02/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/openwin/bin:/prog/oracle/product/9.2.0/bin:/usr/local/bin:/usr/sbin:/usr/ccs/bin:/opt/samba/bin

      Any idea why users other than root can't run sudo in this environment?

      Many thanks for help!



      Background:
      -------------------

      I installed sudo (sudo-1.7.2p1) on system:

           uname -a
           SunOS byzimr 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire

      from source - so far I can see with success:

           /bin/sh ./mkinstalldirs /usr/local/bin \
           /usr/local/sbin /etc \
           /usr/local/man/man1m /usr/local/man/man4 \
           /usr/local/libexec
           mkdir /usr/local/man/man1m
           mkdir /usr/local/man/man4
           /bin/sh ./install-sh -c -O 0 -G 0 -M 4111 -s sudo /usr/local/bin/sudo
           rm -f /usr/local/bin/sudoedit
           ln /usr/local/bin/sudo /usr/local/bin/sudoedit
           /bin/sh ./install-sh -c -O 0 -G 0 -M 0111 -s visudo /usr/local/sbin/visudo
           test -f .libs/sudo_noexec.so && /bin/sh ./install-sh -c -O 0 -G 0 -M 0755 .libs/sudo_noexec.so /usr/local/libexec
           test -f /etc/sudoers || \
           /bin/sh ./install-sh -c -O 0 -G 0 -M 0440 \
      ./sudoers /etc/sudoers
           /bin/sh ./install-sh -c -O 0 -G 0 -M 0444 ./sudo.man /usr/local/man/man1m/sudo.1m
           ln /usr/local/man/man1m/sudo.1m /usr/local/man/man1m/sudoedit.1m
           /bin/sh ./install-sh -c -O 0 -G 0 -M 0444 ./visudo.man /usr/local/man/man1m/visudo.1m
           /bin/sh ./install-sh -c -O 0 -G 0 -M 0444 ./sudoers.man /usr/local/man/man4/sudoers.4
           #/bin/sh ./install-sh -c -O 0 -G 0 -M 0444 ./sudoers.ldap.man /usr/local/man/man4/sudoers.ldap.4


      I checked the libraries depending on for sudo (were already installed before sudo has
      been compiled):

           libintl-3.4.0-sol9-sparc

                no details available from www.sunfreeware.com

           libiconv-1.11-sol9-sparc

                no details available from www.sunfreeware.com     

           libgcc-3.4.6-sol9:

           libgcc_s.so
           libgcc_s.so.1
           libstdc++.so
           libstdc++.so.6
           libstdc++.so.6.0.3

      Libraries/versions currently installed on that system:

           ls -l /usr/local/lib/libintl*
           -rw-r--r-- 1 root bin 64270 Jan 1 2008 /usr/local/lib/libintl.a
           -rw-r--r-- 1 root bin 1029 Jan 1 2008 /usr/local/lib/libintl.la
           lrwxrwxrwx 1 root other 16 Sep 18 2008 /usr/local/lib/libintl.so -> libintl.so.8.0.2
           lrwxrwxrwx 1 root other 16 Sep 18 2008 /usr/local/lib/libintl.so.8 -> libintl.so.8.0.2
           -rwxr-xr-x 1 root bin 51192 Jan 1 2008 /usr/local/lib/libintl.so.8.0.2

           ls -l /usr/local/lib/libiconv*
           -rw-r--r-- 1 root bin 889 Nov 20 2006 /usr/local/lib/libiconv.la
           lrwxrwxrwx 1 root other 17 Sep 18 2008 /usr/local/lib/libiconv.so -> libiconv.so.2.4.0
           lrwxrwxrwx 1 root other 17 Sep 18 2008 /usr/local/lib/libiconv.so.2 -> libiconv.so.2.4.0
           -rwxr-xr-x 1 root bin 1148096 Jan 13 2005 /usr/local/lib/libiconv.so.2.1.0
           -rwxr-xr-x 1 root bin 1159972 Jan 13 2005 /usr/local/lib/libiconv.so.2.2.0
           -rwxr-xr-x 1 root bin 1161116 Nov 20 2006 /usr/local/lib/libiconv.so.2.4.0
           -rw-r--r-- 1 root bin 1149392 Jan 13 2005 /usr/local/lib/libiconv_plug.so

           ls -l /usr/local/lib/libgcc*
           lrwxrwxrwx 1 root other 13 Sep 18 2008 /usr/local/lib/libgcc_s.so -> libgcc_s.so.1
           -rw-r--r-- 1 root bin 169356 Sep 12 2004 /usr/local/lib/libgcc_s.so.1

           ls -l /usr/local/lib/libstdc*
           -rw-r--r-- 1 root bin 7314084 Sep 12 2004 /usr/local/lib/libstdc++.a
           -rwxr-xr-x 1 root bin 1038 Sep 12 2004 /usr/local/lib/libstdc++.la
           lrwxrwxrwx 1 root other 18 Sep 18 2008 /usr/local/lib/libstdc++.so -> libstdc++.so.6.0.2
           lrwxrwxrwx 1 root other 18 Sep 18 2008 /usr/local/lib/libstdc++.so.6 -> libstdc++.so.6.0.2
        • 1. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
          alan.pae
          Log in as a user account and then:

          ldd /path/sudo

          and see what it says.

          alan
          • 2. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
            807567
            Hello Alan,

            happy new year!

            I'm just back from some days of vacation. Thanks for help. I've run the command
            as recommended (user EVZEW):

            EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/local/bin/sudo
            ---s--x--x 2 root root 155304 Dec 30 12:22 /usr/local/bin/sudo

            EVZEW@byzimr:/prog/home/EVZEW>ldd /usr/local/bin/sudo
            ldd: /usr/local/bin/sudo: cannot open file: Permission denied

            I see I haven't access to a component that is needed, but what?


            Many thanks for any tip,
            Juergen
            • 3. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
              wrobbins2
              You'd have to run ldd as root since permissions are restricted on the target file.
              • 4. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                alan.pae
                EVZEW@byzimr:/prog/home/EVZEW>ldd /usr/local/bin/sudo
                ldd: /usr/local/bin/sudo: cannot open file: Permission denied

                I see I haven't access to a component that is needed, but what?
                Strange. On my OpenSolaris box ldd runs fine for a normal user. Can you try ldd as a normal user on a different binary and a different setuid program? Maybe /usr/bin/who and /usr/bin/passwd. I haven't used regular Solaris in awhile and some of the permissions on OpenSolaris are different.

                The point being that it appears that when you run as root it can find all of the libraries and when you run as a regular user it appears that it cannot find all of the libraries even though it looks like LD_LIBRARY_PATH is set correctly even for a regular user. So ldd is used to confirm that.

                alan
                • 5. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                  807567
                  Hi Alan,

                  thanks for your advices. I checked permission for other setuid programs. Found the permissions
                  for sudo should be 4555 (instead 4444 as set currently for sudo):

                  EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/bin/passwd
                  -r-sr-sr-x 1 root sys 21964 Apr 7 2002 /usr/bin/passwd

                  EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/bin/who
                  -r-xr-xr-x 1 root bin 12840 Apr 7 2002 /usr/bin/who

                  I changed permissions for sudo:

                  EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/local/bin/sudo
                  -r-sr-xr-x 2 root root 155304 Dec 30 12:22 /usr/local/bin/sudo

                  after that I ran ldd on su successfully:

                  EVZEW@byzimr:/prog/home/EVZEW>ldd /usr/local/bin/sudo
                  libpam.so.1 => /usr/lib/libpam.so.1
                  libdl.so.1 => /usr/lib/libdl.so.1
                  libintl.so.8 => (file not found)
                  libsocket.so.1 => /usr/lib/libsocket.so.1
                  libnsl.so.1 => /usr/lib/libnsl.so.1
                  libc.so.1 => /usr/lib/libc.so.1
                  libcmd.so.1 => /usr/lib/libcmd.so.1
                  libmp.so.2 => /usr/lib/libmp.so.2
                  /usr/platform/SUNW,Sun-Fire/lib/libc_psr.so.1

                  Fails for libintl.so.8, but the lib should be found because path to /usr/local/lib is included in LD_LIBRARY_PATH:

                  EVZEW@byzimr:/prog/home/EVZEW>set | grep LD
                  LD_LIBRARY_PATH=/lib:/usr/dt/lib:/usr/ucblib:/prog/oracle/product/9.2.0/lib32:/usr/local/lib

                  EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/local/lib/libintl.so.8
                  lrwxrwxrwx 1 root other 16 Sep 18 2008 /usr/local/lib/libintl.so.8 -> libintl.so.8.0.2

                  EVZEW@byzimr:/prog/home/EVZEW>ls -l /usr/local/lib/libintl.so.8.0.2
                  -rwxr-xr-x 1 root bin 51192 Jan 1 2008 /usr/local/lib/libintl.so.8.0.2

                  I'll check today what a hack that could be.

                  Thanks for any idea,
                  Juergen
                  • 6. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                    807567
                    Hello Alan,

                    I've fixed the issue loading private librarys. I've done an internet search and found an interesting
                    article "When should I set LD_LIBRARY_PATH?" ( [find here|http://linuxmafia.com/faq/Admin/ld-lib-path.html] ).

                    The answer in that document was clear and simple: NEVER.

                    They advice is to specify library pathes for all libraries (static and dynamically loaded) at build time:

                    Specifying the location of dynamic libraries not in /usr/lib

                    In UNIX the location of a library can be specified with the -L dir option to the compiler. Furthermore, in Solaris
                    you need to specify the run time location with a corresponding -R dir option. For example, suppose we need
                    to use the freely available libz in our C program, squash, built from squash.c. This is not part of Solaris so it is
                    installed in /usr/local/lib. Here's a typical command to build it with Sun's C compiler - cc(1):
                    $ cc -o squash -L/usr/local/lib -R/usr/local/lib -lz squash.c
                    In other words your need to specify LDFLAGS like -R/usr/local/lib for compilation.

                    In Makefile for sudo I changed the LDFLAGS (empty in original Makefile):
                        # Flags to pass to the link stage
                        LDFLAGS = -R/usr/local/lib
                    and did a new build from scratch:

                    make clean
                    make
                    make install

                    Finally:

                    EVZEW@byzimr:/prog/home/EVZEW>sudo -h
                    usage: sudo -h | -K | -k | -L | -V

                    it works without a path specified in LD_LIBRARY_PATH!

                    BTW: the permissions on command sudo:

                    EVZEW@byzimr:/prog/home/EVZEW>ls -la /usr/local/bin/sudo
                    ---s--x--x 2 root root 155336 Jan 5 11:57 /usr/local/bin/sudo

                    are correct.

                    Because no read permissings are given, run a ldd on that file seems not possible.
                    I did it as root to show what libraries are loded/needed:
                    root@byzimr # ldd /usr/local/bin/sudo
                            libpam.so.1 =>   /usr/lib/libpam.so.1
                            libdl.so.1 =>    /usr/lib/libdl.so.1
                            libintl.so.8 =>  /usr/local/lib/libintl.so.8
                            libsocket.so.1 =>        /usr/lib/libsocket.so.1
                            libnsl.so.1 =>   /usr/lib/libnsl.so.1
                            libc.so.1 =>     /usr/lib/libc.so.1
                            libcmd.so.1 =>   /usr/lib/libcmd.so.1
                            libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
                            libsec.so.1 =>   /usr/lib/libsec.so.1
                            libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
                            libmp.so.2 =>    /usr/lib/libmp.so.2
                            /usr/platform/SUNW,Sun-Fire/lib/libc_psr.so.1
                    Many thanks for all the tips and support,
                    Juergen
                    • 7. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                      alan.pae
                      jueadams wrote:
                      Hello Alan,

                      I've fixed the issue loading private librarys. I've done an internet search and found an interesting
                      article "When should I set LD_LIBRARY_PATH?" ( [find here|http://linuxmafia.com/faq/Admin/ld-lib-path.html] ).

                      The answer in that document was clear and simple: NEVER.

                      They advice is to specify library pathes for all libraries (static and dynamically loaded) at build time:
                      My version of that is on MY web page at:

                      http://www.ilkda.com/compile/Environment_Variables.htm

                      Which was going to be my next step. :-)

                      Still, from what you originally posted I can't figure out why it didn't work.
                      Many thanks for all the tips and support,
                      Juergen
                      Your welcome,
                      alan

                      and Happy New Year to you as well.
                      • 8. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                        807567
                        Hi Alan,

                        I found the reason why it was needed to specify LD_LIBRARY_PATH
                        for sudo at compile time.

                        The security notes of sudo's man page explains:
                        Note that the dynamic linker on most operating systems will 
                        remove variables that can control dynamic linking from the 
                        environment of setuid executables, including sudo. Depending 
                        on the operating system this may include _RLD, DYLD_, LD_, LDR_, 
                        LIBPATH, SHLIB_PATH, and others. These type of variables are 
                        removed from the environment before sudo even begins execution 
                        and, as such, it is not possible for sudo to preserve them.
                        Good to know :)

                        Happy linking,
                        Juergen
                        • 9. Re: sudo (sudo-1.7.2p1) fails with ld.so.1: sudo: fatal: libintl.so.8: open fai
                          alan.pae
                          An easier method is to just use RBAC. :-)

                          alan