[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lintian: shlib-read-write-env

On 01/31/2017 11:15 AM, Mathieu Malaterre wrote:
> I'd like to discuss addition of a new lintian checks for
> getenv/setenv/putenv used in shared libraries.

Why getenv() though? It just reads the environment.
>From what you link yourself:

| The getenv and secure_getenv functions can be safely used in
| multi-threaded programs.


> Modifications of environment variables are not allowed in
> multi-threaded programs.

Yes. However, just because a library imports a symbol doesn't mean
it uses it in a multithreaded context. (What if a specific routine
in the library uses setenv(), but that routine is clearly marked
as not to be used in an MT-context in the library's docs? And the
rest of the library is safe?)

Case in point: [1]

readelf -sW /usr/lib/x86_64-linux-gnu/libpython3.5m.so | grep putenv
   205: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND putenv@GLIBC_2.2.5 (2)

So basically you have the problem that you can't really be certain
that this is bad just based on the symbol being imported, but if
the library does do it improperly, it's really, really bad. So
from the severity you'd at least want a lintian warning, but
OTOH I don't think it makes sense to have tons of maintainers of
perfectly fine libraries override this tag.

I think a check like this would be great, same as e.g. a check
that libraries properly use O_CLOEXEC for fds, but that's also
very, very difficult to get right as a check. [2]


[1] Yeah, I know, Python is not great with threads due to the GIL,
    but it _is_ thread-safe.
[2] Especially since code could have runtime fallbacks for older
    kernels that didn't yet have dup3, accept4 or similar. And
    you'd basically need to do static analysis. And the library
    could provide a function where the caller explicitly requests
    an fd without CLOEXEC, especially if the library wraps open()
    in some way.

Reply to: