This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] Add LD_PRELOAD_INIT_EARLY [BZ #14379]
On Thu, Feb 14, 2019 at 05:43:26PM +0000, Joseph Myers wrote:
> This patch is missing a NEWS update to discuss the new feature. (It seems
> the manual generally lacks documentation of LD_* variables; if they were
> documented, an update there would be needed as well.)
I will add a NEWS entry.
> The commit message needs to discuss security issues (that applies to any
> proposed change to glibc that makes its behavior depend on some
> environment variable, probably we should add that point to the
> contribution checklist). What effect does this have in setuid programs?
> Is it ignored, by existing or new code? If not ignored, how can you
> demonstrate that to be safe in all cases where LD_PRELOAD is handled and
> safe for such programs?
It is not ignored right now, but there's no reason it shouldn't be.
Perhaps it would be better to have the new variable take a list of
libraries just like LD_PRELOAD does, instead of having it modify
LD_PRELOAD's behaviour? Then the security handling for the new variable
could be exactly the same as LD_PRELOAD's?