Secure Dynamic Linker Configuration (LD_PRELOAD/PATH Hardening)
Description
Harden the dynamic linker search path and execution environment to prevent library injection and PATH manipulation attacks. Verify that /etc/ld.so.conf.d/ only references trusted, non-writable library directories. For systemd-managed services, use Environment=LD_PRELOAD= LD_LIBRARY_PATH= to explicitly clear dangerous environment variables, or use EnvironmentFile= with a whitelist of required variables. Ensure no world-writable directory appears in any service PATH. For containers and pods, combine with NoNewPrivileges (security_context.allow_privilege_escalation: false) to prevent LD_PRELOAD exploitation in setuid contexts. The dynamic linker (ld-linux.so) already ignores LD_PRELOAD and LD_LIBRARY_PATH for setuid/setgid binaries, but this does not protect non-setuid services running as root or elevated users.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | With LD_PRELOAD and LD_LIBRARY_PATH cleared for services and library search paths restricted to trusted directories, the attacker cannot simply place a malicious shared library in a writable directory and have it loaded by a privileged process. Exploitation requires either modifying a trusted directory (which requires elevated privileges or a separate vulnerability), exploiting a service that explicitly loads libraries from untrusted paths (an application-level bug), or finding an alternative code injection vector beyond the hardened dynamic linker configuration. |
CWE Relationships
Verification
Verify that the dynamic linker search path only references trusted directories, LD_PRELOAD/LD_LIBRARY_PATH are cleared for services, and no world-writable directories appear in library search paths.
# Expected: Only trusted, non-writable library directories listed
# Expected: No output (no writable directories in library path)
# Expected: LD_PRELOAD is empty or absent
# Expected: Library cache populated from trusted paths only