subject:"\[exim\] Exim in Gramine\: defining search path for loading dynamic libraries"

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

2022-11-02 Thread Heiko Schlittermann via Exim-users

Dengler, Gabriel via Exim-users  (Mi 02 Nov 2022 19:03:34 
CET):
> About the security caveats: do you think that there could be bigger security
> issues if the code runs in an isolated environment like Gramine is? Or can
> you sketch how a possible security attack could look?

If I remember well, until we introduced keep_environment and
add_environment, the following was possible as an unprivileged user
("hans"):

$ export PERL5LIB=/home/hans
$ /usr/sbin/exim …

In the above scenario the Exim config used Perl functions,
loaded from external Perl modules (assuemed to be in one of the
default Perl library paths),

By the above modification an unprivileged user was able get more
privileges by "injecting" malicious Perl functions.

I can imagine that a similar approach will work with LD_LIBRARY_PATH.
But … doesn't the loader clean the LD_LIBRARY_PATH if the RUID differs
from the EUID?

See ld.so(8) for LD_LIBRARY_PATH. Given that, I'm curious why setting
this variable works in your environment.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

2022-11-02 Thread Dengler, Gabriel via Exim-users


Hey Jeremy,

thanks, setting keep_environment = LD_LIBRARY_PATH in the main 
configuration file seemed to do the trick.


About the security caveats: do you think that there could be bigger 
security issues if the code runs in an isolated environment like Gramine 
is? Or can you sketch how a possible security attack could look?


Best regards,

Gabriel

On 02.11.22 16:50, Jeremy Harris via Exim-users wrote:


On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote:

Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in 
Gramine, you can define which libraries have to be loaded.


If that operates by setting an LD_LIBRARY_PATH env var,
you could try adding that to the main-config option
"keep_environment".

Do read the manual section on it regarding security caveats.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

2022-11-02 Thread Jeremy Harris via Exim-users


On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote:

Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you 
can define which libraries have to be loaded.


If that operates by setting an LD_LIBRARY_PATH env var,
you could try adding that to the main-config option
"keep_environment".

Do read the manual section on it regarding security caveats.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Exim in Gramine: defining search path for loading dynamic libraries

2022-11-02 Thread Dengler, Gabriel via Exim-users


Hello everyone,

I wanted to run Exim in Gramine. Gramine is a software to support the 
so-called Intel Software Guard Extension (SGX) which allows running 
software in enclaves separated from the host environment (cmp. 
https://gramineproject.io/).


I've already made some great progress and resolved a lot of issues with 
Gramine that I documented here: 
https://github.com/gramineproject/gramine/discussions/1013


Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in 
Gramine, you can define which libraries have to be loaded. A common 
configuration is, e.g., "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}", 
where "arch_libdir = /lib/x86_64-linux-gnu/". On the first startup, this 
is correctly recognized. However, when Exim sends an e-mail, Exim 
internally invokes the "exec" system call and somehow seems to overwrite 
the LD_LIBRARY_PATH, since it now searches in the directory 
"/usr/local/lib/" for libraries.


As a first workaround, you can also mount the necessary libraries in the 
folder "/usr/local/lib/", however, this is no elegant solution. 
Therefore I tried out to modify Exim, e.g. by adding this path to 
"LOOKUP_LIBS" in the Local Makefile, but without success. I also noticed 
this post: 
https://www.exim.org/exim-html-4.66/doc/html/FAQ-html/FAQ_0.html#TOC32

So, this is my question: how could you adjust the load library path?

Best regards,
Gabriel

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries

[exim] Exim in Gramine: defining search path for loading dynamic libraries

4 matches

Site Navigation

Mail list logo

Footer information