New submission from dgelessus <[email protected]>:
Recent Python.org versions of Python for macOS no longer respect the
DYLD_LIBRARY_PATH environment variable for extending the dynamic library search
path, and the envvar is completely invisible to the Python process. This is the
case since at least Python 3.7.7 and Python 3.8.2. It was *not* the case with
Python 3.7.5 or Python 3.8.0 or any earlier versions (I haven't tested 3.7.6
and 3.8.1). For example:
$ python3.6 --version
Python 3.6.8
$ DYLD_LIBRARY_PATH=tests/objc python3.6 -c 'import os;
print(os.environ.get("DYLD_LIBRARY_PATH"))'
tests/objc
$ python3.7 --version
Python 3.7.7
$ DYLD_LIBRARY_PATH=tests/objc python3.7 -c 'import os;
print(os.environ.get("DYLD_LIBRARY_PATH"))'
None
This seems to be because the Python binaries now fulfill the requirements for
notarization (as mentioned in
https://www.python.org/downloads/release/python-377/#macos-users), which
includes enabling the hardened runtime
(https://developer.apple.com/documentation/security/hardened_runtime), which by
default hides DYLD_LIBRARY_PATH (and other DYLD_... envvars) from the hardened
binary.
To disable this protection and allow using DYLD_... envvars again, the
entitlement com.apple.security.cs.allow-dyld-environment-variables
(https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-dyld-environment-variables)
can be added to a hardened binary. The Python binaries seem to have some
entitlements, but not .allow-dyld-environment-variables:
$ codesign --display --entitlements=:- python3.7
Executable=/Library/Frameworks/Python.framework/Versions/3.7/bin/python3.7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>
Would it be possible to add this entitlement to the Python binaries, so that
DYLD_LIBRARY_PATH can be used again, as was possible in previous versions?
----------
components: macOS
messages: 365824
nosy: dgelessus, ned.deily, ronaldoussoren
priority: normal
severity: normal
status: open
title: macOS Python builds from Python.org ignore DYLD_LIBRARY_PATH due to
hardened runtime
versions: Python 3.7, Python 3.8
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue40198>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
