--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename
- From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Date: Mon, 22 Jun 2020 19:00:11 +0100
- Message-id: <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk>
Package: libc6
Version: 2.28-10
Severity: normal
File: /lib/ld-linux.so.2
Hi. I found this behaviour:
$ eatmydata man ls >/dev/null
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libeatmydata.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$
Experimenting shows that the problem is triggered by having LD_PRELOAD
containing only the library name:
$ faketime yesterday printenv | grep PREL
LD_PRELOAD=libgtk3-nocsd.so.0:/usr/$LIB/faketime/libfaketime.so.1
$ faketime yesterday env LD_PRELOAD=libfaketime.so.1 man ls >/dev/null
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$
The problem is not limited to man:
$ faketime yesterday env LD_PRELOAD=libfaketime.so.1 dash -c true
ERROR: ld.so: object 'libfaketime.so.1' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
$
This message on debian-user seems related:
https://lists.debian.org/debian-user/2017/03/msg00335.html
Colin Watson (CC'd) reports that sid works.
Thanks for your attention.
Ian.
-- System Information:
Debian Release: 10.4
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 5.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages libc6:i386 depends on:
ii libgcc1 1:8.3.0-6
Versions of packages libc6:i386 recommends:
ii libidn2-0 2.0.5-1+deb10u1
Versions of packages libc6:i386 suggests:
ii debconf [debconf-2.0] 1.5.71
ii glibc-doc 2.28-10
ii libc-l10n 2.28-10
ii locales 2.28-10
-- debconf information excluded
--- End Message ---
--- Begin Message ---
- To: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Cc: 963508-done@bugs.debian.org
- Subject: Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename [and 1 more messages]
- From: Aurelien Jarno <aurelien@aurel32.net>
- Date: Sat, 4 Jul 2020 00:22:39 +0200
- Message-id: <20200703222239.GC8215@aurel32.net>
- In-reply-to: <20200623152453.GB287302@aurel32.net>
- References: <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk> <20200622211851.GA8215@aurel32.net> <24305.56738.393752.772285@chiark.greenend.org.uk> <20200623110445.GB8215@aurel32.net> <24305.58815.453992.540855@chiark.greenend.org.uk> <20200623130403.GA287302@aurel32.net> <24306.256.917475.620133@chiark.greenend.org.uk> <159284881159.3577.15577493642137212642.reportbug@zealot.relativity.greenend.org.uk> <20200623152453.GB287302@aurel32.net>
On 2020-06-23 17:24, Aurelien Jarno wrote:
> On 2020-06-23 14:17, Ian Jackson wrote:
> >
> > Aurelien Jarno writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> > > [stuff]
> >
> > Thanks for your explanations and sorry for being dense.
> >
> > > In secure-execution mode, preload pathnames containing slashes are
> > > ignored. Furthermore, shared objects are preloaded only from the
> > > standard search directories and only if they have set-user-ID mode bit
> > > enabled (which is not typical).
> >
> > Obviously it wouldn't be right for eatmydata to be loaded by actually
> > setuid programs.
> >
> > Ian Jackson writes ("Re: Bug#963508: /lib/ld-linux.so.2: LD_PRELOAD breaks with plain filename"):
> > > (As an aside, I'm not sure why it makes sense for apparmor to inhibit
> > > preloading. I thought apparmor was intended to restrict the
> > > applications you apply it to, not defend them against their callers.)
> >
> > So the overall effect is that programs with apparmor profiles are
> > mostly protected from the effects of LD_PRELOAD (and, I assume,
> > LD_LIBRARY_PATH and various other properties of the execution
> > environment).
>
> Yes, and also GCONV_PATH, GETCONF_DIR, HOSTALIASES, LOCALDOMAIN,
> LOCPATH, MALLOC_TRACE, NIS_PATH, NLSPATH, RESOLV_HOST_CONF, RES_OPTIONS,
> TMPDIR, and TZDIR.
>
> > This doesn't seem correct to me. Is there any documentation giving a
> > rationale for this ? Is there a way to change this locally ?
>
> I do not know enough about apparmor and its threat model to know if it
> should be considered or not. From the glibc point of view, nothing can
> be really done, it just obeys the AT_SECURE flag passed by the kernel.
>
> Now looking at apparmor.d(5), it seems it *might* be controlled by the
> change_profile option with the safe and unsafe mode. But I don't speak
> apparmor fluently enough to actually know how to introduce that option
> in a profile.
>
> > (Other than creating /etc/suid-debug, which is dangerous.)
>
> Yes, this means that it becomes very easy to become root on a system
> with that file.
As explained, this is not a glibc issue, that simply enables the
secure-execution mode when asked by the kernel. I am therefore closing
this bug.
Please open a bug against apparmor or man-db if you feel the current
behaviour is wrong.
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
--- End Message ---