Why prelinked files and md5sum differs among servers?
Environment
- Red Hat Enterprise Linux
Issue
The checksum (md5sum) of the library /lib64/ld-2.5.so (package glibc-2.5-65) are different on the servers.
Resolution
To see the md5 sum of non-prelinked binary, use:
prelink -y /lib64/ld-2.5.so | md5sum
To disable prelinking see:
How do I disable prelink on my system?
Root Cause
Most programs require libraries to work. Libraries can be integrated into a program once, by a linker, when it is compiled (static linking) or they can be integrated when the program is run by a loader, (dynamic linking). Dynamic linking has advantages in code size and management but every time a program is run, the loader needs to find the relevant libraries. As the libraries can move around in memory, this causes a performance penalty, and the more libraries that need to be resolved, the greater the penalty. Prelink reduces this penalty by using the system's dynamic linker to reversibly perform this linking in advance ("prelinking" the executable file) by relocating. Afterwards, the program only needs to spend time finding the relevant libraries on being run if, for some reason (perhaps an upgrade), the libraries have changed since being prelinked.
prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.
Why Different MD5 Checksum?
server1$ prelink -y /lib64/ld-2.5.so | md5sum
e6d5eba2fedd41492b902aaa092c50a2 -
Linux systems tries to randomize addresses to avoid, or make very hard exploits, that know specific addresses.
Such exploits usually are when someone finds a way to make a program write to memory it does not own (before or after a buffer, or
to memory already released), or memory is not supposed to write, like return address of a function.
It may get all systems with the same /proc/$pid/exe checkum if setting /proc/sys/kernel/randomize_va_space
to zero. Or at least this would be one of the required changes
The same checksum for /usr/sbin/portreserve if using prelink may be hard to achieve as
there are too many variables, but again, a zero /proc/sys/kernel/randomize_va_space and
regenerating the prelink is likely to work.
But note that there are other kinds of exploits, that need root access to rewrite a binary, usually
to hide and/or replicate misbehaviour in binaries, and look like there are no problems.
Diagnostic Steps
Run the md5 commands on the first server:
server1$ prelink -y /lib64/ld-2.5.so | md5sum
e6d5eba2fedd41492b902aaa092c50a2 -
server1$ md5sum /lib64/ld-2.5.so
8c958a9d0cbb27344f924861c78bff8e /lib64/ld-2.5.so
Run the md5 commands on the second server:
server2$ prelink -y /lib64/ld-2.5.so | md5sum
e6d5eba2fedd41492b902aaa092c50a2 -
server2$ md5sum /lib64/ld-2.5.so
ba9941cea98bade450a86dfdcb49ab26 /lib64/ld-2.5.so
There are different outputs when using the md5sum and the same results in case of "prelink -y /lib64/ld-2.5.so | md5sum".
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments