Troubleshooting
Problem
Why do the A-TAP library files need the SUID/SGID bits set?
Normally, set the bits for the binary that uses the library. Can SUID be removed from these files?
Symptom
During OS security scans, Guardium A-TAP libraries that are installed under /usr/lib are identified to have the SUID or SGID bit set.
Can the SUID setting from A-TAP libraries be removed as it violates security scanning?
If not, why is SUID is needed and what would be impacted if it is removed?
root:root:r-sr-sr-x:/usr/lib/libguard-atap-db2-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-informix-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-informix_new-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-mongodb-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-oracle-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-oraclestatic-any-64.a
root:root:r-sr-sr-x:/usr/lib/libguard-atap-oraclestatic-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-postgres-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-sybase-15-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-sybaseiq-any-64.so
root:root:r-sr-sr-x:/usr/lib/libguard-atap-teradata-any-64.so
root:root:r-sr-sr-x:/usr/lib64/libguard-atap-sybaseiq-any-util-64.so
Cause
Resolving The Problem
SGID is required for all A-TAP libraries because A-TAP needs to use LD_PRELOAD.
For set-user-ID or set-group-ID ELF binaries, shared objects in the standard search directories are loaded only if the set-user-ID mode bit is enabled on the shared object file.
SGID must be set because we do not want anyone to be able to execute it, but it is needed by A-TAP.
Add the listed libraries as exceptions to a security scan.
The Linux LD_PRELOAD environment variable states that:
"In secure-execution mode, preload pathnames containing slashes are ignored. Furthermore, shared objects are preloaded only from the standard search directories and only if they have set-user-ID mode bit enabled (which is not typical)."
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 October 2023
UID
ibm10872734