I have an application that needs to run with the CAP_NET_BIND_SERVICE
capability so that it can open a low port (502 for a TCP/Modbus server). It comes bundled with a set of .so files that it needs to dynamically link against, including pinned versions of system libraries (libxml.so and libz.so). Generally, I would set LD_LIBRARY_PATH
, but when the executable has a capability, environment variables are ignored (see "Secure-Execution Mode" in ld.so(8)).
I have tried the following things:
- Adding the search paths to the
/etc/ld.so.conf.d
directory breaks anything that relies on the system libraries that are now shadowed by the vendored libraries - Setting up a firewall rule to redirect port 502 to a high port, changing the configured listen port, and disabling the capability is not allowed under our security policy*
- Our license with the vendor does not allow us to modify their compiled executables, so
chrpath
is not an option - Running as root is not recommended for security reasons, and would generate root-owned log files (that we would prefer to avoid)
OS is RHEL 7, running as a systemd service with a custom unit file.
Is there a way to add a library search path for just this specific application?
*which I'm not empowered to change or make an exception to