Customizing Program Behavior

A typical scenario for using LD_PRELOAD would be to change undesirable behavior in one of your applications, where the application's source code is too complex to search for the right location or is simply not available. As an alternative, you can use strace [2] or ltrace [3] (see the "strace and ltrace" box) to check the order in which the application tries to open files or network connections.

strace -o prog.log prog

$ strace -o prog.log -e trace=open,openat,close prog
$ ltrace -x open+openat+close prog

It may turn out that a program sources information that it can't handle from a global configuration file. However, you do not want to change the global file because other applications access it and need this information.

In this case, it would be useful to point the problematic program to another configuration file, which you would populate with suitable content to let the program run correctly. To do this, you need to manipulate the open() function so that it responds to any attempt to open a specific file by opening the alternate file. Listing 6 shows how to redirect all attempts to open the /etc/fstab file in /tmp/fstab.test.

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#define SEARCH_PATH "/etc/fstab"
#define REPLACE_PATH "/tmp/fstab.test"
int (*true_open)(const char *pathname, int flags, va_list mode);
int open (const char *pathname, int flags, va_list mode) {
  true_open = dlsym (RTLD_NEXT, "open");
  char *longpath = realpath (pathname, NULL);
  if (!strncmp (longpath, SEARCH_PATH, PATH_MAX))
    pathname = REPLACE_PATH;
  int fd = true_open (pathname, flags, mode);
  free (longpath);
  return fd;
}

The new version of open() first creates an absolute path specification for the specified file name with realpath(). You can also call open() with relative paths, which can then look very different depending on the working directory. The change ensures that only a single path is checked. The strncmp() function then compares the path with a search term (in my example, /etc/fstab) and replaces it with the name of the alternative file (/tmp/fstab.test) if there is a match.

After that, it continues as usual with true_open() opening the file. The call to free() at the end of Listing 6 is necessary because longpath() has reserved memory for storing the path specification. You need to release this before leaving the function. Again, the compile process is a one-liner (Listing 7, line 1).

01 $ gcc openother.c -o openother.so -fPIC -shared -ldl
02 $ echo "This is not /etc/fstab" > /tmp/fstab.test
03 $ LD_PRELOAD=$PWD/openother.so cat /etc/fstab
04 This is not /etc/fstab

Now when you create a file with the call from line 2 and access /etc/fstab with cat and the library enabled via LD_PRELOAD, you will be opening the file created in /tmp instead (line 4).

Prohibiting Access

Instead of redirecting file access, the solution to the problem could be to completely prevent access. To do this, you would abort without calling the original function in certain cases, set the errno global error variable, and return an exit code of -1.

Listing 8 shows the code that terminates open() upon accessing the /etc/fstab file with an error code of ENOENT and an exit code of -1. The attempt to open the file then causes the program to abort as desired (Listing 9).

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define SEARCH_PATH "/etc/fstab"
int (*true_open)(const char *pathname, int flags, va_list mode);
int open (const char *pathname, int flags, va_list mode) {
  true_open = dlsym (RTLD_NEXT, "open");
  char *longpath = realpath (pathname, NULL);
  int check = strncmp (longpath, SEARCH_PATH, PATH_MAX);
  free (longpath);
  if (!check) {
    errno = ENOENT; // file not found
    return -1;
  }
  return true_open (pathname, flags, mode);
}

$ LD_PRELOAD=$PWD/dontopen.so cat /etc/fstab
cat: /etc/fstab: File or directory not found

ENOENT stands for "File or directory not found." The definitions for error codes can be found in errno-base.h and errno.h in the /usr/include/asm-generic/ folder; you can also select other codes.

If you test access blocking with other programs, you may notice that some editors like Vim, mcedit, or Nano are also blocked, but gedit can open the file. An analysis with strace shows that gedit uses openat instead of open() to open files. Consequently, you will need an alternative implementation for gedit.

More Examples

You can find more potential uses on GitHub [4]. For example, libfaketime lets you fool processes into believing that the system time is different and, in particular, that the date is different. This proves useful if you want to start a program whose usage license has expired. The change only applies to processes that are started by libfaketime. The tool uses LD_PRELOAD to load a library that replaces various functions, including time(), ftime(), and gettimeofday() (Figure 3).

Figure 3: Thanks to libfaketime, the clock on the right is already 2.5 hours later than the clock on the left.

The stderred library (the name combines stderr for standard error and the color "red") colors all output on the terminal that a process sends to the standard error channel. This means that error messages can be easily distinguished from other output.

The fsatrace monitors file access and detects read and write access, moves, deletions, and status queries. However, you can easily achieve the same behavior with strace.