Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
Dengler, Gabriel via Exim-users (Mi 02 Nov 2022 19:03:34 CET): > About the security caveats: do you think that there could be bigger security > issues if the code runs in an isolated environment like Gramine is? Or can > you sketch how a possible security attack could look? If I remember well, until we introduced keep_environment and add_environment, the following was possible as an unprivileged user ("hans"): $ export PERL5LIB=/home/hans $ /usr/sbin/exim … In the above scenario the Exim config used Perl functions, loaded from external Perl modules (assuemed to be in one of the default Perl library paths), By the above modification an unprivileged user was able get more privileges by "injecting" malicious Perl functions. I can imagine that a similar approach will work with LD_LIBRARY_PATH. But … doesn't the loader clean the LD_LIBRARY_PATH if the RUID differs from the EUID? See ld.so(8) for LD_LIBRARY_PATH. Given that, I'm curious why setting this variable works in your environment. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
Hey Jeremy, thanks, setting keep_environment = LD_LIBRARY_PATH in the main configuration file seemed to do the trick. About the security caveats: do you think that there could be bigger security issues if the code runs in an isolated environment like Gramine is? Or can you sketch how a possible security attack could look? Best regards, Gabriel On 02.11.22 16:50, Jeremy Harris via Exim-users wrote: On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote: Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you can define which libraries have to be loaded. If that operates by setting an LD_LIBRARY_PATH env var, you could try adding that to the main-config option "keep_environment". Do read the manual section on it regarding security caveats. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote: Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you can define which libraries have to be loaded. If that operates by setting an LD_LIBRARY_PATH env var, you could try adding that to the main-config option "keep_environment". Do read the manual section on it regarding security caveats. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim in Gramine: defining search path for loading dynamic libraries
Hello everyone, I wanted to run Exim in Gramine. Gramine is a software to support the so-called Intel Software Guard Extension (SGX) which allows running software in enclaves separated from the host environment (cmp. https://gramineproject.io/). I've already made some great progress and resolved a lot of issues with Gramine that I documented here: https://github.com/gramineproject/gramine/discussions/1013 Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you can define which libraries have to be loaded. A common configuration is, e.g., "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}", where "arch_libdir = /lib/x86_64-linux-gnu/". On the first startup, this is correctly recognized. However, when Exim sends an e-mail, Exim internally invokes the "exec" system call and somehow seems to overwrite the LD_LIBRARY_PATH, since it now searches in the directory "/usr/local/lib/" for libraries. As a first workaround, you can also mount the necessary libraries in the folder "/usr/local/lib/", however, this is no elegant solution. Therefore I tried out to modify Exim, e.g. by adding this path to "LOOKUP_LIBS" in the Local Makefile, but without success. I also noticed this post: https://www.exim.org/exim-html-4.66/doc/html/FAQ-html/FAQ_0.html#TOC32 So, this is my question: how could you adjust the load library path? Best regards, Gabriel -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/