Introduction: 

Our Unix Server Provider security team of our found the following line in the /etc/profile:

LD_LIBRARY_PATH="/opt/CA/SharedComponents/lib:$LD_LIBRARY_PATH"; export LD_LIBRARY_PATH

As the /etc/profile is run for each user logging on to the server, the effect is that all applications that will be started will look first into the harvest specific lib path and into the system libraries second.

The security team believes this to be a security hole because somebody logged in as the user harvest could copy a manipulated system library to /opt/CA/SharedComponents/lib and as a result override the system libraries.

Question: 

Does Harvest require this entry in /etc/profile?

Environment:  

CA Harvest SCM, all versions, Unix and Linux platforms

Answer: 

Harvest does require that the /opt/CA/SharedComponents/lib folder be included in the LD_LIBRARY_PATH environment variable, but it does not have to be first in the path. You should check to see why the /etc/profile was configured this way (for example if you're running the multi-user agent which is executed by "root").

To resolve the security problem you could alter your /etc/profile to say:

LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/CA/SharedComponents/lib"; export LD_LIBRARY_PATH

That way, library files in the SharedComponents/lib would not override the system libraries.

You might also consider locking down write permissions to the folder so that the libraries found there cannot be changed except by a system administrator or the root user.  All other users would still need read and execute permissions, but not necessarily write permissions.