[Bug 1700272] [NEW] ldd secure execution mode

Sat, 24 Jun 2017 09:41:22 -0700 

Public bug reported:

Hello,

I noticed that ldd gives wrong results when run
a) with the LD_LIBRARY_PATH environment variable set to some folder and
b) on a binary that will be launched in "secure execution mode" by ld.so (see 
"man ld.so").

Steps to reproduce:
1. Create a file hello_world.c:
#include <stdio.h>
int main() {
        puts("Hello, World!");
        puts("Press enter to quit");
        scanf("%*c");
}
2. Compile:
$ gcc -o hello_world hello_world.c
3. Attach a capability to the compiled binary, in order to trigger secure 
execution mode:
$ sudo setcap CAP_NET_BIND_SERVICE=ep hello_world
4. Make the system's libc available somewhere else:
$ cp /lib/x86_64-linux-gnu/libc.so.6 .

In this setup, when you run LD_LIBRARY_PATH=. ldd hello_world, then ldd will 
report that the binary will use the libc in the local folder.
Actual output:
$ LD_LIBRARY_PATH=. ldd hello_world
        linux-vdso.so.1 =>  (0x00007ffdbb76a000)
        libc.so.6 => ./libc.so.6 (0x00007f68a182a000)
        /lib64/ld-linux-x86-64.so.2 (0x00005651d2ef7000)

However, when you actually run the binary with
$ LD_LIBRARY_PATH=. ./hello_world
then the binary will use the standard library search path and _not_ use 
./libc.so.6 .
You can see this by starting the binary in one terminal, and running the 
following command in another terminal while the binary is still running:
$ sudo cat /proc/$(pidof hello_world)/maps

This gives me an output like:
[...]
7f76193d5000-7f7619595000 r-xp 00000000 fc:00 2494866                    
/lib/x86_64-linux-gnu/libc-2.23.so
7f7619595000-7f7619795000 ---p 001c0000 fc:00 2494866                    
/lib/x86_64-linux-gnu/libc-2.23.so
7f7619795000-7f7619799000 r--p 001c0000 fc:00 2494866                    
/lib/x86_64-linux-gnu/libc-2.23.so
7f7619799000-7f761979b000 rw-p 001c4000 fc:00 2494866                    
/lib/x86_64-linux-gnu/libc-2.23.so
[...]

I believe that this is due to the secure execution mode mentioned in the
ld.so man page, so this probably also affects set-uid binaries and
possibly some other environment variables that control the linker
behaviour.

I'm using Ubuntu 16.04.2 (LTS). ldd is on version "ldd (Ubuntu GLIBC
2.23-0ubuntu9) 2.23". The libc-bin package (containing ldd) has version
"2.23-0ubuntu9".

Best regards!

** Affects: ubuntu
     Importance: Undecided
         Status: New


** Tags: bot-comment

** Attachment added: "the hello_world.c file and a Makefile"
   https://bugs.launchpad.net/bugs/1700272/+attachment/4902313/+files/demo.zip

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1700272

Title:
  ldd secure execution mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1700272/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to