Red Hat Knowledgebase

LD_LIBRARY_PATH is an environment variable to give the run-time shared library loader (ld.so) an extra set of directories to look for when searching for shared libraries. It is used in preference to any run time or default system linker path.

Multiple directories can be listed and separated with a colon [:] . This list is prepended to the existing list of compiled-in loader paths for a given executable and any system default loader paths.

So it is possible to override default system shared libraries for a given executable by using this path variable.

This can be a grave security risk for executables running with elevated privileges i.e. with setuid or setgid bit set. It could mean that the caller could override almost all of the functions called by the executable by custom and probably malicious code, which would then execute with elevated privileges.

For security reasons, LD_LIBRARY_PATH is ignored (unset) at runtime for executables that have their setuid or setgid bit set.

Here is an example:

The newgrp command is setuid to root, as explained above and LD_LIBRARY_PATH is unset when newgrp is executed by a non-root user.

 
# ls -l /usr/bin/newgrp
-rws--x--x 1 root root 6956 May 4 2004 /usr/bin/newgrp
      

Note: 's' listed in the permission field indicates that the command or file has the setuid / setgid bit set.

When newgrp is run by user root, it is not running with any elevated privileges and the restriction for LD_LIBRARY_PATH does not apply.

Other commands that are most frequently used and affects the LD_LIBRARY_PATH variable are passwd, su, crontab, and ping.