How to use $ORIGIN and suid application?

Question

I'm using python with setcap CAP_NET_RAW enabled. My python script imports a shared library which has $ORIGIN in its RPATH. Since my python is now a suid app, $ORIGIN is not evaluated and the library does not load correctly (this is due to a security leak found in glibc ). Is there a way to tell the linker that my library path is secure and load the library anyway?

A few more notes:

1. I only need this feature in the development stage. I'm not looking for a production solution.
2. When working as root, everything works.
3. I do not want to work as root.

Thanks, Dave

Answer 1

You can try one of these. Consider that <path-to-mylib> is the absolute pathname after solving the $ORIGIN rpath reference.

1. Re-run ldconfig after telling it where to find your library

   $ echo "<path-to-mylib>" > /etc/ld.so.conf.d/my-new-library.conf
   $ ldconfig -v
   

2. If running things as root is not an option, export LD_LIBRARY_PATH with the correct directory for every execution of the process

   $ echo "export LD_LIBRARY_PATH=<path-to-mylib>" >> ~/.bashrc
   $ export LD_LIBRARY_PATH=<path-to-mylib>
   $ # then run your stuff...
   

Answer 2

Did you try sudo?

Instead of $ORIGIN, use fixed paths during development because they will work on setuid programs. Don't change your main build process, just use patchelf to set the rpath to what you need. You could make a shell script which does something like:

ln=`readelf -d |grep RPATH`
IFS=:
set -- $ln
newrpath=`echo $2 |sed 's/\$ORIGIN/\/devel\/myprog\/lib/'`
patchelf --set-rpath newrpath myprogram

Then your binary will no longer search $ORIGIN/../lib but /devel/myprog/lib/../lib