[MacPorts] #49963: arb @6.0.1_3: LD_LIBRARY_PATH is undefined at make_arbperl_makefile.pl line 21

MacPorts noreply at macports.org
Tue Apr 26 12:41:33 PDT 2016


#49963: arb @6.0.1_3: LD_LIBRARY_PATH is undefined at make_arbperl_makefile.pl line
21
----------------------------+-----------------------------
  Reporter:  cruiz_perez@…  |      Owner:  matt.cottrell@…
      Type:  defect         |     Status:  new
  Priority:  Normal         |  Milestone:
 Component:  ports          |    Version:  2.3.4
Resolution:                 |   Keywords:  elcapitan
      Port:  arb            |
----------------------------+-----------------------------

Comment (by elmar@…):

 Just to explain exactly what's going on here:
 1. ARB passes the location of dynamic libraries to be used both during
 build and after installation using the environment variables
 `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`, depending on host OS. This
 approach has thus far been a fool-proof way to make sure than even with
 multiple versions of ARB installed and users moving ARB installations
 around, the dynamic linker always uses the correct set of libraries. It
 still works fine, even with SIP, except during build.
 2. As per POSIX.1 standard, which the Apple documentation claims their
 implementation adheres to (see `man /usr/share/man/man3/exec.3`), '''the
 environment for a new process image "shall" be a copy of the environment
 of the parent process''', or the array passed to `execle`.
 3. Apple's "SIP" '''breaks''' this behavior by '''deleting''' all
 variables matching `/LD_LIBRARY_PATH|DYLD_.*/` from the process images of
 binaries '''if''' they are loaded from a path flagged as protected (e.g.
 `/bin`, `/sbin`, `/usr`). This is not mentioned in any of the pertinent
 man files nor in the System Integrity Protection Guide on the Apple
 Developer website, nor anywhere else I checked.
 4. Gnu Make includes a hard coded path to `/bin/sh` to make sure all
 recipes are executed sanely and predictably, without interference by user
 configured environments. It ignores both the `PATH` and `SHELL`
 environment variables for this purpose, unless `SHELL` is explicitly set
 on the command line or in a loaded script.
 5. During the build, a Perl script is called from a Make recipe. The Gnu
 '''Make''' installed via MacPorts '''passes the recipe''' line calling
 Perl (also installed via MacPorts) '''to `/bin/sh`''' for expansion and
 execution. At this point, OS X's '''SIP interferes and deletes the library
 path variables''' from the environment. The Perl script then fails.

 > This is merely a workaround. The developers of arb should fix their
 build system so that it works even on El Capitan and later with SIP
 enabled and without workarounds like copying the shell.

 A behavior that is both unexpected and in conflict with the documentation
 is commonly called a bug. "Fixing" the issue within the ARB build system
 is therefore what I would call a workaround for a broken target
 platform/distribution.

 That said, ARB is already littered with workarounds for various target
 platforms anyway. In this case, however, the failing script is part of the
 code building the Perl bindings for the ARB database library. This is done
 using Perl's MakeMaker utility, which does frightening things like
 rebuilding its own Makefile and has been fragile in the past. In order to
 avoid regression on other platforms, I'd rather not rashly touch this
 part. If anyone wants to give it a try, please do. Do test on SLES, RHEL,
 Debian, Centos and Ubuntu as well, though.

 I would favor a fix on distribution level. Environment variables
 "mysteriously disappearing" between Make and the tool called from a
 Makefile recipe is just wrong. The suggestion to copy /bin/sh into a path
 not flagged for protection and setting SHELL in Makewas meant as a hot fix
 and as a means for verifying the source of the problem. A more general
 solution would be to make it so that MacPort's Gnu Make always uses a
 fully working shell, rather than /bin/sh. AFAIK this would require
 patching Gnu Make and/or adding a shell to its dependencies.

 As a more direct, short term fix, the ARB package could simply require
 Bash as a dependency and set PATH and SHELL appropriately to avoid usage
 of /bin/bash or /bin/sh (with SHELL set either on the Make command line or
 by adding a line to `config.makefile`.

 The sad part is that after it originally took me almost a day to figure
 out what was going on (the idea that some part of the OS was stealing
 variables didn't occur to me until everything else had been excluded), it
 took all of 5 seconds to work around it. I would love to see a discussion
 piece from Apple on why they thought this was a useful approach to improve
 security, more so than say the time honored method of linking high-value
 targets statically. Also, I'd love to hear in which scenarios an attack
 that is possible by getting a binary on the target host and modifying a
 processes' environment can be done using DYLD_LIBRARY_PATH and a malicious
 library, but not by modifying PATH and adding a malicious binary... (let's
 hope PATH isn't next up on Apple's list for lock down).

-- 
Ticket URL: <https://trac.macports.org/ticket/49963#comment:7>
MacPorts <https://www.macports.org/>
Ports system for OS X


More information about the macports-tickets mailing list