authbind (LD_PRELOAD) and multiarch
I'm maintainer and upstream for authbind, which is a set-id helper to
permit and control the binding of low ports by unprivileged programs,
with an LD_PRELOAD wrapper so it can be used by naive callers which
just expect to call bind. I would like some advice about how to
do multiarch support for it.
authbind consists of three pieces:
1. A setuid-root helper executable /usr/lib/authbind/helper. This
helper provides a documented API so that callers who know they want
to use authbind can fork/exec the helper themselves.
The helper is a pure utility: callers do not need to link it
into their address space and on a multiarch system any architecture
suitable for running set-id binaries is fine.
2. A shared library intended for use with LD_PRELOAD. It provides a
replacement implementation of bind(2). Currently this is in
/usr/lib/authbind/libauthbind.so.1.0 but there is no particular
reason it shouldn't be in /usr/lib (or /usr/lib/<triplet>) other
than the worry that someone might say -lauthbind. The shared
library also uses the _init hook to remove itself from LD_PRELOAD
after a while; this is controlled by an environment variable which
the shared library also mutates in _init.
Obviously the shared library needs to be provided for the
architecture of the actual target program; however because of the
_init machinery, and ld.so error messages, it should ideally be
provided for _all_ architectures which the system is capable of
executing.
3. A wrapper program which sets LD_PRELOAD and possibly other
variables for the benefit of the shared library, and then execs the
desired actual program.
This program happens to be a C executable but its architecture is
unimportant.
Currently all three of these are in the same package. This will
obviously have to change.
I have a couple of points I'd like input on:
* I will need to arrange for the same LD_PRELOAD setting to load the
correct libauthbind for each arch. So I guess I do
LD_PRELOAD=libauthbind.so.1 rather than supplying an absolute path,
and trust ld.so to get the right one out of /usr/lib/<triplet>.
Is that right ?
* AFAICT there is no way on a multiarch system to say in my
dependencies "I need this package on all architectures supported on
this system". I went and looked at testing's fakeroot but I'm not
sure I should be using what it does as an example. How should an
LD_PRELOAD hack approach this problem ?
To best avoid transitional problems I guess piece 2 should go into
"authbind" (Multi-arch: same; Depends: authbind-support) and pieces 1
and 3 would in "authbind-support" (Multi-arch: foreign; no
dependency). But I'm not sure.
Thanks,
Ian.
Reply to: