<artwork />   <projects />   <rhetoric />   <snippets />

Why Setting /usr/bin/ldd to mode 0000 can Have Unintended Consequences

At work, I applied the RHEL 5 Draft STIG to some of our systems in an effort to increase our security. (STIGs are security checklists, and they’re available for a multitude of operating systems and devices. Unfortunately, they are frequently out of date, hence why I’m applying a RHEL 5 STIG to a RHEL 6 network.) A week later, and a routine kernel update brought our network to its knees. The guilty party? /usr/bin/ldd‘s permissions, which the draft STIG required be set to 000.

Apparently, when you update a kernel package in RHEL (and this may be a shortcoming of RPM packages in general, since root should be able to get around this problem), it tries to run /usr/bin/ldd. If you remove all access to ldd by setting its permissions to 000, the kernel does not install correctly (even though yum reports no errors) and you will get a Kernel Panic screen on your next boot. I got a few variations of the same message (one said “VFS: Unable to mount root fs on unknown-block(0,0)” and another one said “Kernel panic - not syncing: No init found. Try passing init= option to kernel.”). When I first encountered the problem, it was a week after I’d applied the STIG, so my gut reaction initially was to say it was RHEL’s fault. I didn’t really believe that, but I couldn’t see what else it could be.

It wasn’t until many hours later that I tried to run mkinitrd manually out of desperation. It started spitting out error messages about ldd. Suddenly it dawned on me what had happened. I fixed the permissions and tried rebooting. Still nothing. Then it occurred to me that ldd was probably only getting run during the initial kernel INSTALL. This time, I booted off the old kernel, ran yum reinstall kernel and rebooted. SUCCESS!

Unfortunately, there isn’t a good way to detect that a kernel update is about to be applied, so it would be hard to script resetting the permissions before an install. I’m going to recommend that administrators skip this STIG setting for now. Bricking your system is too high a price just to be compliant, and I’m unconvinced that changing ldd‘s permissions provides any security benefit whatsoever.

Leave a Reply

about | blog | email | links | sitemap

Entries (RSS) and Comments (RSS).