trying to understand LD_PRELOAD and SUID/SGID with checkinstall or porg

Question

I want to use porg in my LFS distro. It's similar to checkinstall, it uses LD_PRELOAD.

1. If you read the README:

CheckInstall currently is unable to track any file system changes made by statically linked programs

I think it refers to the commands like mkdir, mv, ln, etc. So I should not have any problems with this. Am I right?

2. Then, the main problem:

NOTE ON SUID/SGID PROGRAMS: CheckInstall can't track their actions because of some limitations in the LD_PRELOAD system that installwatch uses. This is good for security reasons, but it can generate unexpected results when the installation process uses SUID/SGID binaries.

What does it mean? I don't care if I lose track of some files. I do care if there will be unexpected results, or if I can't install correctly the package.

Also, how many packages have this problem?

Answer 1

1. In case coreutils (mkdir, mv, etc. ) on your system are statically linked (i.e. running file on them reports "statically linked") porg will not be able to track their operations and thus some installed files may go untracked. Statically linked executables are second-class citizens in Linux and LD_PRELOAD does not support them.

2. Setuid executables indeed sanitize LD_PRELOAD before usage - they ignore all files which have slashes in name (so that only files from standard system paths can be loaded) and also require that shared library itself has setuid bit set. So in your case you'll need to locate porg's preloaded library and set setuid bit on it (via chmod a+s libxyz.so). BTW it may make sense to ask porg authors to do this change in their distro. I don't think this will cause any problems in a typical package as installers typically don't need to run setuid programs (like mount, passwd, sudo).