SteamLinuxRuntime fails when using a setuid /usr/bin/bwrap: error while loading shared libraries: libdl.so.2

[smcv]

Your system information

• Steam Runtime Version: any modern version, reproduced with 0.20240123.75011
• Distribution (e.g. Ubuntu 18.04): any, reproduced on Ubuntu 22.04
• Link to your full system information (Help -> Steam Runtime Diagnostics) in a Gist: not provided here
• Have you checked for system updates?: no
• What compatibility tool are you using?: Steam Linux Runtime 3.0 - sniper
• What versions are listed in VERSIONS.txt? any modern version, reproduced with beta 0.20240212.77547

Steps for reproducing this issue:

This is not a recommendation - these steps are only used here to emulate an older host OS like Debian 10.

1. echo 0 | sudo tee /proc/sys/kernel/unprivileged_userns_clone
2. sudo apt install bubblewrap
3. sudo chmod +s /usr/bin/bwrap
4. launch Steam
5. look at ~/.steam/steam/logs/steamwebhelper.log

This system configuration with a setuid bubblewrap is not recommended, and not routinely tested. We recommend the system configuration where unprivileged bubblewrap is allowed, as seen in all supported Ubuntu versions, Debian >= 11, RHEL >= 8, and default configurations of most other Linux distributions including Arch Linux, Fedora and so on.

Expected result

Steam runs successfully

Actual result

steamwebhelper fails to launch. steamwebhelper.log ends with:

/usr/lib/pressure-vessel/from-host/bin/pressure-vessel-adverb: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory

Workaround

https://github.com/flatpak/flatpak/wiki/User-namespace-requirements#changing-from-setuid-to-unprivileged

[smcv]

Root cause

I believe the root cause for this is that when we hand over control from code outside the container to code inside, for a short time we are relying on the LD_LIBRARY_PATH to find dependency libraries in /overrides - but if bwrap is setuid, then glibc startup code removes LD_LIBRARY_PATH from the environment for security reasons.

This used to work anyway, probably because older versions of pressure-vessel-adverb only depended on libraries bundled with pressure-vessel (which are found via RPATH = ${ORIGIN}/../...) and on libc.so.6 (which is special-cased to be edited into the container's /usr directly, in order to allow for bootstrapping). But newer versions of pressure-vessel-adverb are linked to libdl.so.2, and that can only be found in /overrides.

[smcv]

This is not a recent regression: the oldest version that I have conveniently available (0.20210608.3) fails in the same way.

[smcv]

A fix for this is in progress. The fact that we haven't had any reports from users of this being a problem suggests that it is not a common configuration in practice, so it isn't being treated as a high priority.

[smcv]

Fixed in today's betas, versioned as depot 0.20240321.x in VERSIONS.txt.

[smcv]

Now fixed in stable branches too.