Broken Links To Executables
Security scans can detect a vulnerability of “Linux Daemons with Broken Links to Executables”.
This page details what that is and the commonly seen ones with their fixes.
About Broken Links to Executables
What?
When a package is updated on disk (ie via yum or rpm package install) while the application is running in memory, this can create a broken link to executable on disk.
Why?
The /proc pseudo file system keeps track of running processes (in memory) and has symlinks to the on disk location of things like executables. When a package is ripped out from underneath a symlink, it becomes broken. Some services auto restart upon upgrade, some don't.
The Fix
Restart the affected service/process, so the new package binaries are used from disk.
Re-mediating Broken Symlinks
In general, how to re-mediate broken symlinks.
- Security scans show the netstat output of the broken link, but don't show the process id. This must be determined on your own.
- Find the process ID from netstat output
netstat -antpu | grep rpc.statd tcp 0 0 0.0.0.0:22605 0.0.0.0:* LISTEN 8743/rpc.statd
- Process ID is: 8743
- Further investigation about the process if it is not yet clear
ps -elf | grep 8743 5 S rpcuser 8743 1 0 80 0 - 5853 poll_s 2015 ? 00:00:00 rpc.statd --no-notify
- View the broken symlink in /proc (notice it says “deleted”)
ls -l /proc/8743/exe lrwxrwxrwx 1 root root 0 Jul 15 08:50 /proc/8743/exe -> /sbin/rpc.statd (deleted)
- Restart the affected service
service nfslock restart
- New PID assigned, verify that no broken symlink exists (“deleted” is now gone)
ls -l /proc/4217/exe lrwxrwxrwx 1 root root 0 Aug 18 07:25 /proc/4217/exe -> /sbin/rpc.statd
Common Broken Symlinks
Commonly seen broken symlinks.
pgsql agent
About: pgsql agent runs on Postgres database systems in order to monitor the database.
Restart it
- EL 6/7
- Switch to the postgres user
sudo su - postgres
- Stop, then start the agent
/var/lib/pgsql/agent/agent_13.2.0.0.0/bin/emctl stop agent /var/lib/pgsql/agent/agent_13.2.0.0.0/bin/emctl start agent
rpc.statd
About: rpc.statd is a process used by nfslock, which provides file locking over NFS mounts. This service can be safely restarted as long as there are no open NFS files. WARNING: Restarting this service with open files over NFS mounts could result in stale nfs locks.
Restart it
- EL 6
service nfslock restart
- EL 7
systemctl restart nfslock