[Bug 1700272] [NEW] ldd secure execution mode

Launchpad Bug Tracker 1700272 at bugs.launchpad.net
Sat Jun 24 16:51:59 UTC 2017 

You have been subscribed to a public bug:

Hello,

I noticed that ldd gives wrong results when run
a) with the LD_LIBRARY_PATH environment variable set to some folder and
b) on a binary that will be launched in "secure execution mode" by ld.so (see "man ld.so").

Steps to reproduce:
1. Create a file hello_world.c:
#include <stdio.h>
int main() {
	puts("Hello, World!");
	puts("Press enter to quit");
	scanf("%*c");
}
2. Compile:
$ gcc -o hello_world hello_world.c
3. Attach a capability to the compiled binary, in order to trigger secure execution mode:
$ sudo setcap CAP_NET_BIND_SERVICE=ep hello_world
4. Make the system's libc available somewhere else:
$ cp /lib/x86_64-linux-gnu/libc.so.6 .

In this setup, when you run LD_LIBRARY_PATH=. ldd hello_world, then ldd will report that the binary will use the libc in the local folder.
Actual output:
$ LD_LIBRARY_PATH=. ldd hello_world
	linux-vdso.so.1 =>  (0x00007ffdbb76a000)
	libc.so.6 => ./libc.so.6 (0x00007f68a182a000)
	/lib64/ld-linux-x86-64.so.2 (0x00005651d2ef7000)

However, when you actually run the binary with
$ LD_LIBRARY_PATH=. ./hello_world
then the binary will use the standard library search path and _not_ use ./libc.so.6 .
You can see this by starting the binary in one terminal, and running the following command in another terminal while the binary is still running:
$ sudo cat /proc/$(pidof hello_world)/maps

This gives me an output like:
[...]
7f76193d5000-7f7619595000 r-xp 00000000 fc:00 2494866                    /lib/x86_64-linux-gnu/libc-2.23.so
7f7619595000-7f7619795000 ---p 001c0000 fc:00 2494866                    /lib/x86_64-linux-gnu/libc-2.23.so
7f7619795000-7f7619799000 r--p 001c0000 fc:00 2494866                    /lib/x86_64-linux-gnu/libc-2.23.so
7f7619799000-7f761979b000 rw-p 001c4000 fc:00 2494866                    /lib/x86_64-linux-gnu/libc-2.23.so
[...]

I believe that this is due to the secure execution mode mentioned in the
ld.so man page, so this probably also affects set-uid binaries and
possibly some other environment variables that control the linker
behaviour.

I'm using Ubuntu 16.04.2 (LTS). ldd is on version "ldd (Ubuntu GLIBC
2.23-0ubuntu9) 2.23". The libc-bin package (containing ldd) has version
"2.23-0ubuntu9".

Best regards!

** Affects: glibc (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: bot-comment
-- 
ldd secure execution mode
https://bugs.launchpad.net/bugs/1700272
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to glibc in Ubuntu.

More information about the foundations-bugs mailing list