Robert Haas <> writes:
> ... it turns out that System Integrity Protection
> feature *also* prevents  DYLD_LIBRARY_PATH from being inherited by
> child processes in some manner.

Yeah, this was already known and documented on the lists a year or two
back.  I suggest filing a bug report with Apple; if enough people bitch
about it, maybe they'll rethink.  (I don't have much hope for that,
mind you, but they certainly won't change this without a boatload of

> My main purpose in writing this email is to pass along what I learned
> in the hopes of sparing somebody else some trouble, but perhaps there
> is a way to modify our regression test setup so that the tests can
> pass with System Integrity Protection enabled.

Not really.  If you want it to take libpq.dylib from the build tree,
rather than some already-installed location, there is no other option

The really annoying thing is that there's no particular security advantage
to be gained by not passing it through bash invocations.  If they're not
resetting PATH in such cases, which they aren't, where the heck is the
incremental gain from resetting DYLD_LIBRARY_PATH?  A bad guy in control
of the process environment has already won.

                        regards, tom lane

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to