authbind (LD_PRELOAD) and multiarch

To: debian-devel@lists.debian.org
Cc: debian-dpkg@lists.debian.org
Subject: authbind (LD_PRELOAD) and multiarch
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Mon, 12 Dec 2011 11:26:43 +0000
Message-id: <[🔎] 20197.58611.758263.939051@chiark.greenend.org.uk>

I'm maintainer and upstream for authbind, which is a set-id helper to
permit and control the binding of low ports by unprivileged programs,
with an LD_PRELOAD wrapper so it can be used by naive callers which
just expect to call bind.  I would like some advice about how to
do multiarch support for it.

authbind consists of three pieces:

1. A setuid-root helper executable /usr/lib/authbind/helper.  This
   helper provides a documented API so that callers who know they want
   to use authbind can fork/exec the helper themselves.  

   The helper is a pure utility: callers do not need to link it
   into their address space and on a multiarch system any architecture
   suitable for running set-id binaries is fine.

2. A shared library intended for use with LD_PRELOAD.  It provides a
   replacement implementation of bind(2).  Currently this is in
   /usr/lib/authbind/libauthbind.so.1.0 but there is no particular
   reason it shouldn't be in /usr/lib (or /usr/lib/<triplet>) other
   than the worry that someone might say -lauthbind.  The shared
   library also uses the _init hook to remove itself from LD_PRELOAD
   after a while; this is controlled by an environment variable which
   the shared library also mutates in _init.

   Obviously the shared library needs to be provided for the
   architecture of the actual target program; however because of the
   _init machinery, and ld.so error messages, it should ideally be
   provided for _all_ architectures which the system is capable of
   executing.

3. A wrapper program which sets LD_PRELOAD and possibly other
   variables for the benefit of the shared library, and then execs the
   desired actual program.

   This program happens to be a C executable but its architecture is
   unimportant.

Currently all three of these are in the same package.  This will
obviously have to change.

I have a couple of points I'd like input on:

 * I will need to arrange for the same LD_PRELOAD setting to load the
   correct libauthbind for each arch.  So I guess I do
   LD_PRELOAD=libauthbind.so.1 rather than supplying an absolute path,
   and trust ld.so to get the right one out of /usr/lib/<triplet>.
   Is that right ?

 * AFAICT there is no way on a multiarch system to say in my
   dependencies "I need this package on all architectures supported on
   this system".  I went and looked at testing's fakeroot but I'm not
   sure I should be using what it does as an example.  How should an
   LD_PRELOAD hack approach this problem ?

To best avoid transitional problems I guess piece 2 should go into
"authbind" (Multi-arch: same; Depends: authbind-support) and pieces 1
and 3 would in "authbind-support" (Multi-arch: foreign; no
dependency).  But I'm not sure.

Thanks,
Ian.

Reply to:

Follow-Ups:
- Re: authbind (LD_PRELOAD) and multiarch
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Getting dh_install to do what we need
Next by Date: Re: authbind (LD_PRELOAD) and multiarch
Previous by thread: Bug#651789: ITP: pentobi -- A clone of Blokus, a strategy board game based on the concept of polyominoes.
Next by thread: Re: authbind (LD_PRELOAD) and multiarch
Index(es):
- Date
- Thread