IBM Support

Why do A-TAP libraries have SUID/SGID bit set?

Troubleshooting


Problem

Why do the A-TAP library files need the SUID/SGID bits set?
Normally, set the bits for the binary that uses the library. Can SUID be removed from these files?

Symptom

During OS security scans, Guardium A-TAP libraries that are installed under /usr/lib are identified to have the SUID or SGID bit set.
Can the SUID setting from A-TAP libraries be removed as it violates security scanning?
If not, why is SUID is needed and what would be impacted if it is removed?
  
root:root:r-sr-sr-x:/usr/lib/libguard-atap-db2-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-informix-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-informix_new-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-mongodb-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-oracle-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-oraclestatic-any-64.a

root:root:r-sr-sr-x:/usr/lib/libguard-atap-oraclestatic-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-postgres-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-sybase-15-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-sybaseiq-any-64.so

root:root:r-sr-sr-x:/usr/lib/libguard-atap-teradata-any-64.so

root:root:r-sr-sr-x:/usr/lib64/libguard-atap-sybaseiq-any-util-64.so

Cause

Resolving The Problem

SGID is required for all A-TAP libraries because A-TAP needs to use LD_PRELOAD.
For set-user-ID or set-group-ID ELF binaries, shared objects in the standard search directories are loaded only if the set-user-ID mode bit is enabled on the shared object file.
SGID must be set because we do not want anyone to be able to execute it, but it is needed by A-TAP.
Add the listed libraries as exceptions to a security scan.
The Linux LD_PRELOAD environment variable states that:

"In secure-execution mode, preload pathnames containing slashes are ignored.  Furthermore, shared objects are preloaded only from the standard search directories and only if they have set-user-ID mode bit enabled (which is not typical)."

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 October 2023

UID

ibm10872734

Page Feedback