뭔가 알고 있다고 생각했는데 prelink어제 가장 이상한 문제에 부딪혔습니다. 나는 그것을 사용해서는 안 된다는 것을 알고 있지만 prelink내가 관리하는 CentOS 6 시스템 중 하나에서 활성화된 것을 발견했습니다. 왜냐하면 그것이 모든 바이너리에 큰 변화를 일으키고 침입 경고를 유발했기 때문입니다.
그래서 시스템을 근본 원인 순간으로 복원했는데 상황은 다음과 같습니다.
prelink -mR -av -q 2> /dev/null | grep Prelink # clean
prelink -mR -av 2> /dev/null | grep Prelink # clean
yum install zabbix-agent # only installs one rpm, no dependencies
[root@www ~]# ls -lt /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so
-rwxr-xr-x 1 root root 1926520 Feb 16 19:38 /lib64/libc-2.12.so
-rwxr-xr-x 1 root root 599392 Feb 16 19:38 /lib64/libm-2.12.so
-rwxr-xr-x 1 root root 157072 Feb 16 19:37 /lib64/ld-2.12.so
[root@www ~]# ls -lct /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so
-rwxr-xr-x 1 root root 599392 Apr 21 17:51 /lib64/libm-2.12.so
-rwxr-xr-x 1 root root 1926520 Apr 21 17:51 /lib64/libc-2.12.so
-rwxr-xr-x 1 root root 157072 Apr 21 17:51 /lib64/ld-2.12.so
[root@www ~]# md5sum /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so # verified - unchanged
348544291616b515c962027644afe879 /lib64/libm-2.12.so
9094a2fcef90994f490554f5514216aa /lib64/libc-2.12.so
10f3aead091e8bdc85b86a00f6fe2104 /lib64/ld-2.12.so
[root@www ~]# prelink --dry-run -mR -a -v 2> /dev/null | grep Would
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libMagickCore.so.5.0.0
Would prelink /usr/lib64/libMagickWand.so.5.0.0
Would prelink /usr/lib64/libcurl.so.4.1.1
Would prelink /usr/lib64/libodbcinst.so.2.0.0
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /usr/sbin/zabbix_agentd
[root@www ~]# rpm -ql zabbix-agent
/etc/init.d/zabbix-agent
/etc/logrotate.d/zabbix-agent
/etc/zabbix/zabbix_agentd.conf
/etc/zabbix/zabbix_agentd.d
/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf
/usr/sbin/zabbix_agentd
/usr/share/doc/zabbix-agent-3.0.2
/usr/share/doc/zabbix-agent-3.0.2/AUTHORS
/usr/share/doc/zabbix-agent-3.0.2/COPYING
/usr/share/doc/zabbix-agent-3.0.2/ChangeLog
/usr/share/doc/zabbix-agent-3.0.2/NEWS
/usr/share/doc/zabbix-agent-3.0.2/README
/usr/share/man/man8/zabbix_agentd.8.gz
/var/log/zabbix
/var/run/zabbix
아직까지 특별한 건 없어요, 그렇죠? 이제 일반적인 일일 사전 링크가 무엇을 하는지 확인했는데 libm어느 것을 수정하고 싶은지 확인했습니다.이상한완전한 사전 연결은 일반적으로 사용되는 이 라이브러리를 수정하지 않기 때문입니다. 그 후, 다음 일일 사전 링크는 시스템에서 관련되지 않은 수백 개의 바이너리를 자연스럽게 수정합니다.
[root@www ~]# prelink --dry-run -mR -a -q -v 2> /dev/null | grep Would
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /lib64/libm-2.12.so
Would prelink /usr/sbin/zabbix_agentd
libm이것이 재배치된 16진수 주소가 매우 가깝다는 사실과 어떤 관련이 있습니까 libltdl?
[root@www ~]# ldd /usr/sbin/zabbix_agentd
linux-vdso.so.1 => (0x00007ffe481da000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003459200000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x0000003458600000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x0000003456a00000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x0000003459a00000)
libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x0000003453a00000)
libodbc.so.2 => /usr/lib64/libodbc.so.2 (0x0000003927000000)
libm.so.6 => /lib64/libm.so.6 (0x00007f1e1ae0a000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003452a00000)
librt.so.1 => /lib64/librt.so.1 (0x0000003453200000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003454600000)
libc.so.6 => /lib64/libc.so.6 (0x0000003452600000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003458200000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003457200000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003456600000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003457600000)
libz.so.1 => /lib64/libz.so.1 (0x0000003453600000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003458e00000)
libssl3.so => /usr/lib64/libssl3.so (0x0000003454200000)
libsmime3.so => /usr/lib64/libsmime3.so (0x0000003456e00000)
libnss3.so => /usr/lib64/libnss3.so (0x0000003455a00000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x0000003455e00000)
libplds4.so => /lib64/libplds4.so (0x0000003455200000)
libplc4.so => /lib64/libplc4.so (0x0000003456200000)
libnspr4.so => /lib64/libnspr4.so (0x0000003455600000)
libidn.so.11 => /lib64/libidn.so.11 (0x000000345a200000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003452e00000)
libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x0000003458a00000)
libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f1e1abfa000)
/lib64/ld-linux-x86-64.so.2 (0x0000003452200000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003457e00000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003457a00000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003454e00000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003453e00000)
libfreebl3.so => /lib64/libfreebl3.so (0x0000003454a00000)
고쳐 쓰다간단한 테스트 사례에서는 prelink작업할 파일이 여러 개 주어지면 명령이 단일 파일을 사전 연결하려고 할 때와 다르게 동작한다는 것을 보여줍니다. 왜 그런 겁니까?
[root@www ~]# prelink --dry-run -v /usr/sbin/zabbix_agentd 2> /dev/null | grep Would
Would prelink /lib64/libm-2.12.so
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /usr/sbin/zabbix_agentd
[root@www ~]# prelink --dry-run -v /usr/sbin/zabbix_agentd /usr/sbin/era_check 2> /dev/null | grep Would
Would prelink /usr/lib64/libcurl.so.4.1.1
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /usr/sbin/zabbix_agentd
[root@www ~]# rpm -qf /usr/sbin/era_check # random unrelated binary
device-mapper-persistent-data-0.3.2-1.el6.x86_64
[root@www ~]# ldd /usr/sbin/era_check
linux-vdso.so.1 => (0x00007ffcf6991000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00000030d1e00000)
libexpat.so.1 => /lib64/libexpat.so.1 (0x00000030d3e00000)
libm.so.6 => /lib64/libm.so.6 (0x00000030cfe00000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00000030d1200000)
libc.so.6 => /lib64/libc.so.6 (0x00000030cea00000)
/lib64/ld-linux-x86-64.so.2 (0x00000030ce600000)