Bug#963508: marked as done (/lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 4 Jul 2020 00:22:39 +0200
with message-id <20200703222239.GC8215@aurel32.net>
and subject line Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename [and 1 more messages]
has caused the Debian Bug report #963508,
regarding /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
963508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963508
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
• From: Ian Jackson <ijackson@chiark.greenend.org.uk>
• Date: Mon, 22 Jun 2020 19:00:11 +0100
• Message-id: <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk>

Package: libc6
Version: 2.28-10
Severity: normal
File: /lib/ld-linux.so.2

Hi.  I found this behaviour:

$ eatmydata man ls >/dev/null 
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$

Experimenting shows that the problem is triggered by having LD_PRELOAD
containing only the library name:

$ faketime yesterday printenv | grep PREL
LD_PRELOAD=libgtk3-nocsd.so.0:/usr/$LIB/faketime/libfaketime.so.1
$ faketime yesterday env LD_PRELOAD=libfaketime.so.1 man ls >/dev/null 
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$

The problem is not limited to man:

$ faketime yesterday env LD_PRELOAD=libfaketime.so.1 dash -c true
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$

This message on debian-user seems related:
  https://lists.debian.org/debian-user/2017/03/msg00335.html

Colin Watson (CC'd) reports that sid works.

Thanks for your attention.

Ian.

-- System Information:
Debian Release: 10.4
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages libc6:i386 depends on:
ii  libgcc1  1:8.3.0-6

Versions of packages libc6:i386 recommends:
ii  libidn2-0  2.0.5-1+deb10u1

Versions of packages libc6:i386 suggests:
ii  debconf [debconf-2.0]  1.5.71
ii  glibc-doc              2.28-10
ii  libc-l10n              2.28-10
ii  locales                2.28-10

-- debconf information excluded

--- End Message ---

--- Begin Message ---

• To: Ian Jackson <ijackson@chiark.greenend.org.uk>
• Cc: 963508-done@bugs.debian.org
• Subject: Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename [and 1 more messages]
• From: Aurelien Jarno <aurelien@aurel32.net>
• Date: Sat, 4 Jul 2020 00:22:39 +0200
• Message-id: <20200703222239.GC8215@aurel32.net>
• In-reply-to: <20200623152453.GB287302@aurel32.net>
• References: <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk> <20200622211851.GA8215@aurel32.net> <24305.56738.393752.772285@chiark.greenend.org.uk> <20200623110445.GB8215@aurel32.net> <24305.58815.453992.540855@chiark.greenend.org.uk> <20200623130403.GA287302@aurel32.net> <24306.256.917475.620133@chiark.greenend.org.uk> <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk> <20200623152453.GB287302@aurel32.net>

On 2020-06-23 17:24, Aurelien Jarno wrote:
> On 2020-06-23 14:17, Ian Jackson wrote:
> > 
> > Aurelien Jarno writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> > > [stuff]
> > 
> > Thanks for your explanations and sorry for being dense.
> > 
> > >   In secure-execution mode, preload pathnames containing slashes are
> > >   ignored.  Furthermore, shared objects are preloaded only from the
> > >   standard search directories and only if they have set-user-ID mode bit
> > >   enabled (which is not typical).
> > 
> > Obviously it wouldn't be right for eatmydata to be loaded by actually
> > setuid programs.
> > 
> > Ian Jackson writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> > > (As an aside, I'm not sure why it makes sense for apparmor to inhibit
> > > preloading.  I thought apparmor was intended to restrict the
> > > applications you apply it to, not defend them against their callers.)
> > 
> > So the overall effect is that programs with apparmor profiles are
> > mostly protected from the effects of LD_PRELOAD (and, I assume,
> > LD_LIBRARY_PATH and various other properties of the execution
> > environment).
> 
> Yes, and also GCONV_PATH, GETCONF_DIR, HOSTALIASES, LOCALDOMAIN,
> LOCPATH, MALLOC_TRACE, NIS_PATH, NLSPATH, RESOLV_HOST_CONF, RES_OPTIONS,
> TMPDIR, and TZDIR.
> 
> > This doesn't seem correct to me.  Is there any documentation giving a
> > rationale for this ?  Is there a way to change this locally ?
> 
> I do not know enough about apparmor and its threat model to know if it
> should be considered or not. From the glibc point of view, nothing can
> be really done, it just obeys the AT_SECURE flag passed by the kernel.
> 
> Now looking at apparmor.d(5), it seems it *might* be controlled by the
> change_profile option with the safe and unsafe mode. But I don't speak
> apparmor fluently enough to actually know how to introduce that option
> in a profile.
> 
> > (Other than creating /etc/suid-debug, which is dangerous.)
> 
> Yes, this means that it becomes very easy to become root on a system
> with that file.

As explained, this is not a glibc issue, that simply enables the
secure-execution mode when asked by the kernel. I am therefore closing
this bug.

Please open a bug against apparmor or man-db if you feel the current
behaviour is wrong.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---