Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename [and 1 more messages]
Aurelien Jarno writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> [stuff]
Thanks for your explanations and sorry for being dense.
> In secure-execution mode, preload pathnames containing slashes are
> ignored. Furthermore, shared objects are preloaded only from the
> standard search directories and only if they have set-user-ID mode bit
> enabled (which is not typical).
Obviously it wouldn't be right for eatmydata to be loaded by actually
setuid programs.
Ian Jackson writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> (As an aside, I'm not sure why it makes sense for apparmor to inhibit
> preloading. I thought apparmor was intended to restrict the
> applications you apply it to, not defend them against their callers.)
So the overall effect is that programs with apparmor profiles are
mostly protected from the effects of LD_PRELOAD (and, I assume,
LD_LIBRARY_PATH and various other properties of the execution
environment).
This doesn't seem correct to me. Is there any documentation giving a
rationale for this ? Is there a way to change this locally ?
(Other than creating /etc/suid-debug, which is dangerous.)
Ian.
Reply to: