linux_wiki:broken_links_to_executables

Broken Links To Executables

Security scans can detect a vulnerability of “Linux Daemons with Broken Links to Executables”.

This page details what that is and the commonly seen ones with their fixes.

About Broken Links to Executables

What?
When a package is updated on disk (ie via yum or rpm package install) while the application is running in memory, this can create a broken link to executable on disk.

Why?
The /proc pseudo file system keeps track of running processes (in memory) and has symlinks to the on disk location of things like executables. When a package is ripped out from underneath a symlink, it becomes broken. Some services auto restart upon upgrade, some don't.

The Fix
Restart the affected service/process, so the new package binaries are used from disk.

Re-mediating Broken Symlinks

In general, how to re-mediate broken symlinks.

  1. Security scans show the netstat output of the broken link, but don't show the process id. This must be determined on your own.
  2. Find the process ID from netstat output
    netstat -antpu | grep rpc.statd
 
tcp        0      0 0.0.0.0:22605               0.0.0.0:*                   LISTEN      8743/rpc.statd
    1. Process ID is: 8743
  3. Further investigation about the process if it is not yet clear
    ps -elf | grep 8743
 
5 S rpcuser 8743 1 0 80 0 - 5853 poll_s 2015 ? 00:00:00 rpc.statd --no-notify
  4. View the broken symlink in /proc (notice it says “deleted”)
    ls -l /proc/8743/exe
lrwxrwxrwx 1 root root 0 Jul 15 08:50 /proc/8743/exe -> /sbin/rpc.statd (deleted)
  5. Restart the affected service
    service nfslock restart
  6. New PID assigned, verify that no broken symlink exists (“deleted” is now gone)
    ls -l /proc/4217/exe
lrwxrwxrwx 1 root root 0 Aug 18 07:25 /proc/4217/exe -> /sbin/rpc.statd

Common Broken Symlinks

Commonly seen broken symlinks.

pgsql agent

About: pgsql agent runs on Postgres database systems in order to monitor the database.

Restart it

  • EL 6/7
    • Switch to the postgres user
      sudo su - postgres
    • Stop, then start the agent
      /var/lib/pgsql/agent/agent_13.2.0.0.0/bin/emctl stop agent
/var/lib/pgsql/agent/agent_13.2.0.0.0/bin/emctl start agent

rpc.statd

About: rpc.statd is a process used by nfslock, which provides file locking over NFS mounts. This service can be safely restarted as long as there are no open NFS files. WARNING: Restarting this service with open files over NFS mounts could result in stale nfs locks.

Restart it

  • EL 6
    service nfslock restart
  • EL 7
    systemctl restart nfslock
  • linux_wiki/broken_links_to_executables.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)