search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.28k stars 13.53k forks source link

Consider having glibc print warnings when LD_LIBRARY_PATH contains empty segments #76802

Open ivan opened 4 years ago

ivan commented 4 years ago

We had a bad security bug in #67234 caused by the chromium derivation modifying LD_LIBRARY_PATH and unintentionally adding an empty segment (typically caused by a leading or trailing :). Empty segments cause glibc to look for shared libraries in the current working directory. This is particularly dangerous with programs that may frequently be started from a directory with untrusted files.

Because the empty-segment->"load .so from cwd" behavior is very dangerous and almost always unintended, I propose patching our glibc to emit a scary warning when an empty segment is present in LD_LIBRARY_PATH. This would help shake out additional security bugs in both nixpkgs and the software within it. The loading behavior would not be changed, it would just emit a warning to stderr so that we know what to fix, and to detect new regressions early.

To mitigate problems with the rare software that relies on this behavior and where warnings in stderr are unacceptable, a new environmental variable could be used to control the warning.

pbogdan commented 4 years ago

Why do you propose this being patched in nixpkgs and not upstream glibc?

andersk commented 4 years ago

Probably because we particularly suck at this… (but yeah, upstreaming the patch seems like a good idea too).

pkgs/applications/graphics/paraview/default.nix:33:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib:$PWD/VTK/ThirdParty/vtkm/vtk-m/lib
pkgs/applications/misc/audio/soxr/default.nix:16:    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:"`pwd`/build/src
pkgs/applications/networking/mailreaders/claws-mail/default.nix:46:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${python}/lib
pkgs/applications/office/gnucash/default.nix:82:    export LD_LIBRARY_PATH=$PWD/lib:$PWD/lib/gnucash:$PWD/lib/gnucash/test:$LD_LIBRARY_PATH
pkgs/applications/video/avidemux/default.nix:69:    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${libXext}/lib"
pkgs/build-support/build-fhs-userenv/env.nix:55:    export LD_LIBRARY_PATH="/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32:$LD_LIBRARY_PATH"
pkgs/desktops/deepin/dde-file-manager/default.nix:232:    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${zlib}/lib";
pkgs/desktops/deepin/dde-file-manager/default.nix:233:    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${libX11}/lib";
pkgs/desktops/enlightenment/efl.nix:126:    export LD_LIBRARY_PATH="${curl.out}/lib:$LD_LIBRARY_PATH"
pkgs/development/compilers/halide/default.nix:32:    export LD_LIBRARY_PATH="$(pwd)/lib:$LD_LIBRARY_PATH"
pkgs/development/compilers/llvm/4/llvm.nix:139:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/llvm/5/llvm.nix:115:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/llvm/6/llvm.nix:123:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/llvm/7/llvm.nix:144:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/llvm/8/llvm.nix:120:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/llvm/9/llvm.nix:137:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/compilers/mlton/20130715.nix:80:    export LD_LIBRARY_PATH=${gmp.out}/lib:$LD_LIBRARY_PATH
pkgs/development/compilers/solc/default.nix:57:      LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$(pwd)/$dir
pkgs/development/guile-modules/guile-lib/default.nix:24:    "$(dirname $(echo ${stdenv.cc.cc.lib}/lib*/libgcc_s.so)):$LD_LIBRARY_PATH"
pkgs/development/haskell-modules/hackage-packages.nix:93356:       preBuild = ''export LD_LIBRARY_PATH=`pwd`/dist/build:$LD_LIBRARY_PATH'';
pkgs/development/interpreters/pure/default.nix:27:    LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${llvm}/lib make check
pkgs/development/libraries/boxfort/default.nix:32:    export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH
pkgs/development/libraries/caf/default.nix:25:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
pkgs/development/libraries/criterion/default.nix:33:    export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH
pkgs/development/libraries/cutelyst/default.nix:27:    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:`pwd`/Cutelyst:`pwd`/EventLoopEPoll"
pkgs/development/libraries/glib/default.nix:166:    export LD_LIBRARY_PATH="$NIX_BUILD_TOP/${pname}-${version}/glib/.libs:$LD_LIBRARY_PATH"
pkgs/development/libraries/grpc/default.nix:41:    export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH
pkgs/development/libraries/jsoncpp/default.nix:28:    export LD_LIBRARY_PATH="`pwd`/src/lib_json:$LD_LIBRARY_PATH"
pkgs/development/libraries/libtins/default.nix:35:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD${placeholder "out"}/lib
pkgs/development/libraries/orcania/default.nix:22:    export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH"
pkgs/development/libraries/qt-4.x/4.8/default.nix:122:    export LD_LIBRARY_PATH="`pwd`/lib:$LD_LIBRARY_PATH"
pkgs/development/libraries/qt-5/modules/qtbase.nix:167:    export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms:$LD_LIBRARY_PATH"
pkgs/development/libraries/science/math/arpack/default.nix:35:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib
pkgs/development/libraries/science/math/scalapack/default.nix:43:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib
pkgs/development/libraries/yder/default.nix:35:    export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH"
pkgs/development/pharo/vm/build-vm.nix:120:    LD_LIBRARY_PATH="\$LD_LIBRARY_PATH:$libs" exec $out/pharo "\$@"
pkgs/games/dwarf-fortress/dfhack/default.nix:112:      export LD_LIBRARY_PATH="$PWD/depends/protobuf:$LD_LIBRARY_PATH"
pkgs/games/dwarf-fortress/wrapper/dfhack.in:10:LD_LIBRARY_PATH="$env_dir/hack/libs:$env_dir/hack:$LD_LIBRARY_PATH" \
pkgs/games/steam/chrootenv.nix:56:    export LD_LIBRARY_PATH="$runtime_paths:$LD_LIBRARY_PATH"
pkgs/games/steam/chrootenv.nix:263:      ${lib.optionalString (!nativeOnly) "export LD_LIBRARY_PATH=/lib32:/lib64:${lib.concatStringsSep ":" ldPath}:$LD_LIBRARY_PATH"}
pkgs/os-specific/linux/ati-drivers/builder.sh:288:      wrapProgram $out/bin/$(basename $prog) --prefix LD_LIBRARY_PATH : $out/lib/:$gcc/lib/:$out/share/ati/:$libXinerama/lib/:$libXrandr/lib/:$libfontconfig/lib/:$libfreetype/lib/:$LD_LIBRARY_PATH
pkgs/os-specific/linux/tiscamera/default.nix:87:    export LD_LIBRARY_PATH=$PWD/src:$LD_LIBRARY_PATH
pkgs/servers/plex/default.nix:100:    LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$root exec "$root/Plex Media Server"
pkgs/tools/X11/libstrangle/nixos.patch:29:+FPS="${FPS}" LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:@out@/lib/libstrangle/lib64:@out@/lib/libstrangle/lib32" LD_PRELOAD="${LD_PRELOAD}:libstrangle.so" exec "$@"
pkgs/tools/X11/primus/default.nix:30:  export LD_LIBRARY_PATH=${ldPath}:$LD_LIBRARY_PATH
pkgs/tools/filesystems/ceph/default.nix:135:      export LD_LIBRARY_PATH="$PWD/build/lib:$LD_LIBRARY_PATH"
pkgs/tools/misc/staruml/default.nix:45:        --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH}
pkgs/tools/security/neopg/default.nix:34:    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$(pwd)/3rdparty/googletest/googletest:$(pwd)/neopg
pkgs/tools/text/opencc/default.nix:14:    "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$(CURDIR)/src"
andersk commented 4 years ago

I made an attempt to fix these existing issues at #76804.

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.