libnssfix fails to build under Ubuntu 22.04

[JonathonReinhart]

Noted here: https://github.com/JonathonReinhart/staticx/pull/194#issuecomment-1624289769

gcc -o scons_build/debug/libnssfix/libnssfix.so -Wl,--fatal-warnings -Wl,--no-as-needed -nostdlib -Wl,--no-undefined -shared scons_build/debug/libnssfix/nssfix.os -Lscons_build/debug/lib scons_build/debug/libnssfix/libc.so.6 -lnss_dns -lnss_files
/bin/ld: cannot find -lnss_dns: No such file or directory
/bin/ld: cannot find -lnss_files: No such file or directory

[JonathonReinhart]

The problem is missing symlinks:

In ubuntu 22:04, there is no libnss_files.so symlink 😦

jreinhart@cbc4e6bb2b96:~/gitrepos/staticx$ ls -l /usr/lib/x86_64-linux-gnu/libnss*
lrwxrwxrwx 1 root root    40 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_compat.so -> /lib/x86_64-linux-gnu/libnss_compat.so.2
-rw-r--r-- 1 root root 44024 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_compat.so.2
-rw-r--r-- 1 root root 14352 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_dns.so.2
-rw-r--r-- 1 root root 14352 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_files.so.2
lrwxrwxrwx 1 root root    40 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_hesiod.so -> /lib/x86_64-linux-gnu/libnss_hesiod.so.2
-rw-r--r-- 1 root root 27160 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_hesiod.so.2

Note that there is no libnss_dns.so or libnss_files.so symlink. Hmm.

It's also a little suspicious that both libnss_dns.so.2 and libnss_files.so.2 are exactly the same size:

-rw-r--r-- 1 root root 14352 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_dns.so.2
-rw-r--r-- 1 root root 14352 Jul  6  2022 /usr/lib/x86_64-linux-gnu/libnss_files.so.2

[JonathonReinhart]

As I suspected, it appears that libnss_dns.so.2 and libnss_files.so.2 are stubs (export no symbols). The real implementation is moved into libc as of GLIBC 2.34.

Relevant changes:

• libnss_files

  • bminor/glibc@9ed48feed8 (glibc-2.33.9000-881-g9ed48feed8): nss: Do not install static linker input files for libnss_files
  • bminor/glibc@f9c8b11ed7726b858cd7b7cea0d3d7c5233d78cf: nss: Access nss_files through direct references
  • bminor/glibc@6212bb67f4695962748a5981e1b9fea105af74f6: nss_files: Move into libc

• libnss_dns

  • bminor/glibc@ee5ed99922ca90bcea4a2f9a48a0c9ae4b534ece: nss: Directly load nss_dns, without going through dlsym/dlopen
  • bminor/glibc@e1fcf21474c5b522fdad4ac0191d5dcc3271dba6: resolv: Move nss_dns into libc
  • bminor/glibc@ea9878ec271c791880fcbbe519d70c42f8113750
  • bminor/glibc@21a497cc58df2b9b02dc687b97f105335e7a1c50
  • bminor/glibc@b165c65c35d0fc4d60d63ae101f4edfa21c0d30b
  • bminor/glibc@66ac4268f48e4dbcb09b2b6128efa84a6564c1e6
  • bminor/glibc@be5773e1668ab62e980b58c68c3ffd0fd65e31af
  • bminor/glibc@7131727c6ba451e1c5bf075194c7adc9292906c4
  • bminor/glibc@72a51ac647b2fc33a44434d3d125a844801609ae
  • bminor/glibc@762a2b2d341a9d6a4ea088479616907c5b4e9a7b
  • bminor/glibc@08d4a98070c4c4f69c6d04f483d105121effba08
  • bminor/glibc@17d0407a5cac70652f3544e59505c1712b36fd1a
  • bminor/glibc@9515126f905d9322fc6d2b1a3d95539a0a499f48
  • bminor/glibc@2fbe5860d33ca2318b35ea6d31beefa381b4ac8a
  • bminor/glibc@391e02236b931132c0e8b5ba4c3b087c2aaa1044
  • bminor/glibc@fd8a87c0c1932de591e7ad108ff6288a4b6b18c9
  • bminor/glibc@7ec366a08a7cec7bd23d6b2a4f7954860e3a16fd
  • bminor/glibc@640bbdf71c6f10ac26252ac67a22902e26657bd8
  • bminor/glibc@13e1f86706e463de4429f7e88f47c6ff65cd845e
  • bminor/glibc@7ed1ac6da3d6ae5bfbbf4c4bdce07a40e8113df8
  • bminor/glibc@276e9822b3402d49a3c9bea713f89dc855812152
  • bminor/glibc@4e1d3db1e86804283cd21f3186e06d397284ac70
  • bminor/glibc@cff2c78c513ef8d51e69a6933f1c6aef8a24a6d6
  • bminor/glibc@248dbed1187038918d79f62cd9cf631f4150c2a0

Initial thoughts

If libnss_files/libnss_dns are built into libc, we can just leave these out of the link.

How do we detect this?

• GLIBC version?
• Detect this at config time by trying to link against libnss_files (_dns)
  • What if something is broken? How does this interact with the existing NSS config check?

[JonathonReinhart]

Reopening as #255 is incomplete. See https://github.com/JonathonReinhart/staticx/pull/255#issuecomment-1630120893.

It needs to provide runtime libnssfix detection, not just build-time.

[JonathonReinhart]

I'm yanking staticx 0.14.0 from PyPI, because what's there (libnssfix.so not linking against libnss_files, causing dlopen of system lib) is arguably worse (odd app runtime behavior / crash) than 0.13.9 (which works on glibc>=2.34 because libnssfix.so has NEEDED of the soname libnss_files.so.2), so the dependencies are picked up.

We just can't build staticx on glibc>=2.34 (as the title ostensibly states).

[JonathonReinhart]

My initial thought was:

It needs to provide runtime libnssfix detection, not just build-time.

Meaning, when staticx is run, it needs to determine if the glibc (against which the given app was linked) has nss_files and nss_dns builtin -- not the GLIBC used to build staticx.

• If builtin: provide libnssfix.so which does not link against libnss_files/libnss_dns.
• If not builtin: provide libnssfix.so which does link against them (and they will be bundled).

---

But based on my test (staticx 0.13.9 works on ubuntu 22.04):

$ ldd /usr/local/lib/python3.10/dist-packages/staticx/assets/release/libnssfix.so
        linux-vdso.so.1 (0x00007ffec95a9000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f982aa84000)
        libnss_files.so.2 => /lib/x86_64-linux-gnu/libnss_files.so.2 (0x00007f982aa7f000)
        libnss_dns.so.2 => /lib/x86_64-linux-gnu/libnss_dns.so.2 (0x00007f982aa7a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f982acb6000)

the stubs are present and don't hurt anything.

We just need to get the NEEDED tags on libnssfix.so with the SONAME (including .2), like they always were:

$ readelf --dynamic /usr/local/lib/python3.10/dist-packages/staticx/assets/release/libnssfix.so | grep '(NEEDED)'
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libnss_files.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libnss_dns.so.2]

How do we best achieve this in our scons build system? (Keep in mind that -lnss_files does not work because of the missing symlinks).

Ideas:

• https://stackoverflow.com/q/828053
• https://stackoverflow.com/q/207069