prelink - 安装 zabbix-agent 后奇怪的大规模修改

prelink - 安装 zabbix-agent 后奇怪的大规模修改

我以为我知道一些事情prelink,但昨天我遇到了最奇怪的问题。我知道我不应该使用prelink,但我注意到它在我管理的 CentOS 6 系统之一上启用,因为它导致所有二进制文件发生巨大变化,从而触发入侵警告。

所以我将系统恢复到根本原因时刻,情况如下:

prelink -mR -av -q 2> /dev/null | grep Prelink    # clean
prelink -mR -av    2> /dev/null | grep Prelink    # clean
yum install zabbix-agent   # only installs one rpm, no dependencies

[root@www ~]# ls -lt  /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so
-rwxr-xr-x 1 root root 1926520 Feb 16 19:38 /lib64/libc-2.12.so
-rwxr-xr-x 1 root root  599392 Feb 16 19:38 /lib64/libm-2.12.so
-rwxr-xr-x 1 root root  157072 Feb 16 19:37 /lib64/ld-2.12.so
[root@www ~]# ls -lct /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so
-rwxr-xr-x 1 root root  599392 Apr 21 17:51 /lib64/libm-2.12.so
-rwxr-xr-x 1 root root 1926520 Apr 21 17:51 /lib64/libc-2.12.so
-rwxr-xr-x 1 root root  157072 Apr 21 17:51 /lib64/ld-2.12.so
[root@www ~]# md5sum  /lib64/libm-2.12.so /lib64/libc-2.12.so /lib64/ld-2.12.so   # verified - unchanged
348544291616b515c962027644afe879  /lib64/libm-2.12.so
9094a2fcef90994f490554f5514216aa  /lib64/libc-2.12.so
10f3aead091e8bdc85b86a00f6fe2104  /lib64/ld-2.12.so
[root@www ~]# prelink --dry-run -mR -a -v 2> /dev/null | grep Would
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libMagickCore.so.5.0.0
Would prelink /usr/lib64/libMagickWand.so.5.0.0
Would prelink /usr/lib64/libcurl.so.4.1.1
Would prelink /usr/lib64/libodbcinst.so.2.0.0
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /usr/sbin/zabbix_agentd

[root@www ~]# rpm -ql zabbix-agent
/etc/init.d/zabbix-agent
/etc/logrotate.d/zabbix-agent
/etc/zabbix/zabbix_agentd.conf
/etc/zabbix/zabbix_agentd.d
/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf
/usr/sbin/zabbix_agentd
/usr/share/doc/zabbix-agent-3.0.2
/usr/share/doc/zabbix-agent-3.0.2/AUTHORS
/usr/share/doc/zabbix-agent-3.0.2/COPYING
/usr/share/doc/zabbix-agent-3.0.2/ChangeLog
/usr/share/doc/zabbix-agent-3.0.2/NEWS
/usr/share/doc/zabbix-agent-3.0.2/README
/usr/share/man/man8/zabbix_agentd.8.gz
/var/log/zabbix
/var/run/zabbix

到目前为止没有什么特别的,是吗?现在我检查正常的每日预链接会做什么,结果发现它想要修改libm哪个诡异的因为完整的预链接不会修改这个常用的库。之后,下一个每日预链接自然会修改系统中数百个不相关的二进制文件。

[root@www ~]# prelink --dry-run -mR -a -q -v 2> /dev/null | grep Would
Would prelink /usr/lib64/libltdl.so.7.2.1
Would prelink /usr/lib64/libodbc.so.2.0.0
Would prelink /lib64/libm-2.12.so
Would prelink /usr/sbin/zabbix_agentd

libm这与重定位的十六进制地址非常接近的事实有什么关系libltdl

[root@www ~]# ldd /usr/sbin/zabbix_agentd
        linux-vdso.so.1 =>  (0x00007ffe481da000)
        libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003459200000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x0000003458600000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x0000003456a00000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x0000003459a00000)
        libcurl.so.4 => /usr/lib64/libcurl.so.4 (0x0000003453a00000)
        libodbc.so.2 => /usr/lib64/libodbc.so.2 (0x0000003927000000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f1e1ae0a000)
        libdl.so.2 => /lib64/libdl.so.2 (0x0000003452a00000)
        librt.so.1 => /lib64/librt.so.1 (0x0000003453200000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003454600000)
        libc.so.6 => /lib64/libc.so.6 (0x0000003452600000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x0000003458200000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x0000003457200000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x0000003456600000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x0000003457600000)
        libz.so.1 => /lib64/libz.so.1 (0x0000003453600000)
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003458e00000)
        libssl3.so => /usr/lib64/libssl3.so (0x0000003454200000)
        libsmime3.so => /usr/lib64/libsmime3.so (0x0000003456e00000)
        libnss3.so => /usr/lib64/libnss3.so (0x0000003455a00000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x0000003455e00000)
        libplds4.so => /lib64/libplds4.so (0x0000003455200000)
        libplc4.so => /lib64/libplc4.so (0x0000003456200000)
        libnspr4.so => /lib64/libnspr4.so (0x0000003455600000)
        libidn.so.11 => /lib64/libidn.so.11 (0x000000345a200000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003452e00000)
        libssh2.so.1 => /usr/lib64/libssh2.so.1 (0x0000003458a00000)
        libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f1e1abfa000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003452200000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x0000003457e00000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x0000003457a00000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003454e00000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x0000003453e00000)
        libfreebl3.so => /lib64/libfreebl3.so (0x0000003454a00000)

更新简单的测试用例表明,prelink如果给定几个要操作的文件,则命令的行为与仅尝试预链接单个文件时的行为不同。这是为什么?

[root@www ~]# prelink --dry-run -v /usr/sbin/zabbix_agentd 2> /dev/null | grep Would
    Would prelink /lib64/libm-2.12.so
    Would prelink /usr/lib64/libltdl.so.7.2.1
    Would prelink /usr/lib64/libodbc.so.2.0.0
    Would prelink /usr/sbin/zabbix_agentd
[root@www ~]# prelink --dry-run -v /usr/sbin/zabbix_agentd /usr/sbin/era_check 2> /dev/null | grep Would
    Would prelink /usr/lib64/libcurl.so.4.1.1
    Would prelink /usr/lib64/libltdl.so.7.2.1
    Would prelink /usr/lib64/libodbc.so.2.0.0
    Would prelink /usr/sbin/zabbix_agentd

[root@www ~]# rpm -qf /usr/sbin/era_check      # random unrelated binary
device-mapper-persistent-data-0.3.2-1.el6.x86_64

[root@www ~]# ldd /usr/sbin/era_check
    linux-vdso.so.1 =>  (0x00007ffcf6991000)
    libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00000030d1e00000)
    libexpat.so.1 => /lib64/libexpat.so.1 (0x00000030d3e00000)
    libm.so.6 => /lib64/libm.so.6 (0x00000030cfe00000)
    libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00000030d1200000)
    libc.so.6 => /lib64/libc.so.6 (0x00000030cea00000)
    /lib64/ld-linux-x86-64.so.2 (0x00000030ce600000)

相关内容