Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
Clint Adams wrote: On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote: do you mean that executables with any capabilities (or even just cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly disallowed so LD_PRELOAD of fakeroot library fails? Yes, it is the same as with setuid/setgid programs. The point is that otherwise you could make a preload library to exploit any capability by subverting one of the functions used by a privileged binary. I'm not sure how fakeroot-ng interacts with capabilities, but perhaps it is more suitable for your use case. For SUID, fakeroot means that the program runs with privileges but without fakeroot's wrapping. Fakeroot-ng means that program runs without the (real) privileges, but with fakeroot-ng's wrapping. I'm not sure about capabilities, but it's definitely worth giving it a try. Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
Yaroslav Halchenko wrote: hm... it seems to be doing find: $ fakeroot python --version ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. Python 2.5.4 $ fakeroot-ng python --version Python 2.5.4 cool -- thanks for the hint... seems to remain working fine within dpkg-buildpackage ;) I just wonder now what to do with the bug -- apparently it is a feature ;) but may be error message could be made more informative/relevant? This is not a bug. It's a design limitation. I'm not even sure fakeroot has the option of detecting when this limitation is about to trigger (at least, not in a sane way). Shachar -- Shachar Shemesh Lingnu Open Source Consulting Ltd. http://www.lingnu.com
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
Package: fakeroot Version: 1.13 Severity: normal I've used (you need libcap2-bin for setcap) sudo setcap cap_sys_nice=eip /usr/bin/python2.5 to allow python scripts to adjust nice levels/choose scheduler. Unfortunately it obscures fakeroot call, since then I get $ fakeroot python ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. Python 2.5.4 (r254:67916, Feb 18 2009, 03:00:47) [GCC 4.3.3] on linux2 Type help, copyright, credits or license for more information. and that brakes pycentral: $ fakeroot dh_pycentral -i dh_pycentral: Unable to parse python version out of ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. Python 2.5.4 . since it relies on parsing stderr as it contains output from python --version -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-rc5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages fakeroot depends on: ii libc6 2.9-23 GNU C Library: Shared libraries fakeroot recommends no packages. fakeroot suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
On Mon, Aug 31, 2009 at 03:35:29PM -0400, Yaroslav Halchenko wrote: I've used (you need libcap2-bin for setcap) sudo setcap cap_sys_nice=eip /usr/bin/python2.5 to allow python scripts to adjust nice levels/choose scheduler. Unfortunately it obscures fakeroot call, since then I get $ fakeroot python ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. Python 2.5.4 (r254:67916, Feb 18 2009, 03:00:47) [GCC 4.3.3] on linux2 Type help, copyright, credits or license for more information. I'm not sure what we can do here; I don't think we want to obscure the fact that LD_PRELOAD has been disabled for security reasons. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
Hi Clint, do you mean that executables with any capabilities (or even just cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly disallowed so LD_PRELOAD of fakeroot library fails? N.B. fakeroot python whenever python has no cap_sys_nice is doing fine On Tue, 01 Sep 2009, Clint Adams wrote: I'm not sure what we can do here; I don't think we want to obscure the fact that LD_PRELOAD has been disabled for security reasons. -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote: do you mean that executables with any capabilities (or even just cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly disallowed so LD_PRELOAD of fakeroot library fails? Yes, it is the same as with setuid/setgid programs. The point is that otherwise you could make a preload library to exploit any capability by subverting one of the functions used by a privileged binary. I'm not sure how fakeroot-ng interacts with capabilities, but perhaps it is more suitable for your use case. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored
On Tue, 01 Sep 2009, Clint Adams wrote: On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote: do you mean that executables with any capabilities (or even just cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly disallowed so LD_PRELOAD of fakeroot library fails? Yes, it is the same as with setuid/setgid programs. The point is that otherwise you could make a preload library to exploit any capability by subverting one of the functions used by a privileged binary. I'm not sure how fakeroot-ng interacts with capabilities, but perhaps it is more suitable for your use case. hm... it seems to be doing find: $ fakeroot python --version ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. Python 2.5.4 $ fakeroot-ng python --version Python 2.5.4 cool -- thanks for the hint... seems to remain working fine within dpkg-buildpackage ;) I just wonder now what to do with the bug -- apparently it is a feature ;) but may be error message could be made more informative/relevant? -- .-. =-- /v\ = Keep in touch// \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User^^-^^[17] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org