Bug 26723

Summary: LD_ETC_IGNORE - environment variable to ignore /etc/ld.so.preload configuration file on a per-application basis
Product: glibc Reporter: adrelanos
Component: libcAssignee: Not yet assigned to anyone <unassigned>
Status: UNCONFIRMED ---    
Severity: normal CC: carlos, drepper.fsp
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description adrelanos 2020-10-09 15:08:15 UTC
/etc/ld.so.preload is great, however in some corner cases divergent settings are required. (Such as set through LD_PRELOAD environment variable.)

In such cases there is no easy way to ignore the /etc/ld.so.preload configuration file on a per-application basis. I.e. there is no command that can easily be prepended to make libc ignore /etc/ld.so.preload.

Currently for example to ignore /etc/ld.so.preload containing contents '/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so' one has to run:

bwrap --dev-bind / / --tmpfs /usr/lib/libhardened_malloc.so program-name

Which is cumbersome and creating follow-up issues.

Would be good if one could run this:

LD_ETC_IGNORE=1 program-name

Or...

LD_ETC_IGNORE=1 LD_PRELOAD=/path/to/so program-name 

And then /etc/ld.so.preload [1] would be ignored.


[1] and /etc/ld.so.preload.d [2]

[2] https://sourceware.org/bugzilla/show_bug.cgi?id=24913
Comment 1 Carlos O'Donell 2020-10-09 20:29:11 UTC
(In reply to adrelanos from comment #0)
> /etc/ld.so.preload is great, however in some corner cases divergent settings
> are required. (Such as set through LD_PRELOAD environment variable.)

Divergent settings are issues that the application developer and the system administrator need to work together on to resolve.

The point of /etc/ld.so.preload is to give system administrators a method for enforcing preloading of certain required libraries.

The semantics of /etc/ld.so.preload are exactly that applications should not be able to ignore them. Likewise /etc/ld.so.preload is the only mechanism to preload objects for suid binaries.

> In such cases there is no easy way to ignore the /etc/ld.so.preload
> configuration file on a per-application basis. I.e. there is no command that
> can easily be prepended to make libc ignore /etc/ld.so.preload.

Correct, and that is only purpose.
 
> Currently for example to ignore /etc/ld.so.preload containing contents
> '/usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so' one has to
> run:

You're not supposed to ignore that, your system admin set it up that way.
 
> bwrap --dev-bind / / --tmpfs /usr/lib/libhardened_malloc.so program-name
> 
> Which is cumbersome and creating follow-up issues.

What problem is the hardened malloc causing?

Why do you have to have it on the system?