Debian Bug report logs - #544471
cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Mon, 31 Aug 2009 15:35:29 -0400

Package: fakeroot
Version: 1.13
Severity: normal

I've used (you need libcap2-bin for setcap)
sudo setcap cap_sys_nice=eip /usr/bin/python2.5
to allow python scripts to adjust nice levels/choose scheduler.
Unfortunately it obscures fakeroot call, since then I get

$> fakeroot python                                
ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored.
Python 2.5.4 (r254:67916, Feb 18 2009, 03:00:47) 
[GCC 4.3.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 


and that brakes pycentral:
$> fakeroot dh_pycentral -i
dh_pycentral: Unable to parse python version out of "ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored.
Python 2.5.4
".
since it relies on parsing stderr as it contains output from
 python --version



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-rc5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fakeroot depends on:
ii  libc6                         2.9-23     GNU C Library: Shared libraries

fakeroot recommends no packages.

fakeroot suggests no packages.

-- no debconf information

Message #10 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: Yaroslav Halchenko <debian@onerussian.com>, 544471@bugs.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 1 Sep 2009 03:45:05 +0000

On Mon, Aug 31, 2009 at 03:35:29PM -0400, Yaroslav Halchenko wrote:
> I've used (you need libcap2-bin for setcap)
> sudo setcap cap_sys_nice=eip /usr/bin/python2.5
> to allow python scripts to adjust nice levels/choose scheduler.
> Unfortunately it obscures fakeroot call, since then I get
> 
> $> fakeroot python                                
> ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored.
> Python 2.5.4 (r254:67916, Feb 18 2009, 03:00:47) 
> [GCC 4.3.3] on linux2
> Type "help", "copyright", "credits" or "license" for more information.

I'm not sure what we can do here; I don't think we want to obscure the
fact that LD_PRELOAD has been disabled for security reasons.

Message #15 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Clint Adams <schizo@debian.org>

Cc: 544471@bugs.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 1 Sep 2009 00:24:23 -0400

Hi Clint,

do you mean that executables with any capabilities (or even just
cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly
disallowed so LD_PRELOAD of fakeroot library fails?

N.B. fakeroot python whenever python has no cap_sys_nice is doing fine 

On Tue, 01 Sep 2009, Clint Adams wrote:
> I'm not sure what we can do here; I don't think we want to obscure the
> fact that LD_PRELOAD has been disabled for security reasons.


-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

Message #20 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: Yaroslav Halchenko <debian@onerussian.com>, 544471@bugs.debian.org

Cc: fakeroot-ng@packages.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 1 Sep 2009 04:57:08 +0000

On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote:
> do you mean that executables with any capabilities (or even just
> cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly
> disallowed so LD_PRELOAD of fakeroot library fails?

Yes, it is the same as with setuid/setgid programs.  The point is
that otherwise you could make a preload library to exploit any
capability by subverting one of the functions used by a privileged
binary.

I'm not sure how fakeroot-ng interacts with capabilities, but
perhaps it is more suitable for your use case.

Message #25 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Yaroslav Halchenko <debian@onerussian.com>

To: Clint Adams <schizo@debian.org>

Cc: 544471@bugs.debian.org, fakeroot-ng@packages.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 1 Sep 2009 01:07:04 -0400

On Tue, 01 Sep 2009, Clint Adams wrote:
> On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote:
> > do you mean that executables with any capabilities (or even just
> > cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly
> > disallowed so LD_PRELOAD of fakeroot library fails?

> Yes, it is the same as with setuid/setgid programs.  The point is
> that otherwise you could make a preload library to exploit any
> capability by subverting one of the functions used by a privileged
> binary.

> I'm not sure how fakeroot-ng interacts with capabilities, but
> perhaps it is more suitable for your use case.
hm... it seems to be doing find:
$> fakeroot python --version
ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored.
Python 2.5.4
$> fakeroot-ng python --version 
Python 2.5.4

cool -- thanks for the hint... seems to remain working fine within dpkg-buildpackage ;)

I just wonder now what to do with the bug -- apparently it is a feature ;) but
may be error message could be made more informative/relevant?

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

Message #30 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Shachar Shemesh <shachar@shemesh.biz>

To: Clint Adams <schizo@debian.org>

Cc: Yaroslav Halchenko <debian@onerussian.com>, 544471@bugs.debian.org, fakeroot-ng@packages.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 01 Sep 2009 10:01:17 +0300

[Message part 1 (text/plain, inline)]

Clint Adams wrote:
> On Tue, Sep 01, 2009 at 12:24:23AM -0400, Yaroslav Halchenko wrote:
>   
>> do you mean that executables with any capabilities (or even just
>> cap_sys_nice) set are considered insecure and LD_PRELOAD is explicitly
>> disallowed so LD_PRELOAD of fakeroot library fails?
>>     
>
> Yes, it is the same as with setuid/setgid programs.  The point is
> that otherwise you could make a preload library to exploit any
> capability by subverting one of the functions used by a privileged
> binary.
>
> I'm not sure how fakeroot-ng interacts with capabilities, but
> perhaps it is more suitable for your use case.
>   
For SUID, fakeroot means that the program runs with privileges but 
without fakeroot's wrapping. Fakeroot-ng means that program runs without 
the (real) privileges, but with fakeroot-ng's wrapping. I'm not sure 
about capabilities, but it's definitely worth giving it a try.

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

[Message part 2 (text/html, inline)]

Message #35 received at 544471@bugs.debian.org (full text, mbox, reply):

From: Shachar Shemesh <shachar@debian.org>

To: Yaroslav Halchenko <debian@onerussian.com>

Cc: Clint Adams <schizo@debian.org>, 544471@bugs.debian.org, fakeroot-ng@packages.debian.org

Subject: Re: Bug#544471: cap_sys_nice on executable leads to ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored

Date: Tue, 01 Sep 2009 10:02:53 +0300

[Message part 1 (text/plain, inline)]

Yaroslav Halchenko wrote:
>
> hm... it seems to be doing find:
> $> fakeroot python --version
> ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored.
> Python 2.5.4
> $> fakeroot-ng python --version 
> Python 2.5.4
>
> cool -- thanks for the hint... seems to remain working fine within dpkg-buildpackage ;)
>
> I just wonder now what to do with the bug -- apparently it is a feature ;) but
> may be error message could be made more informative/relevant?
>
>   
This is not a bug. It's a design limitation. I'm not even sure fakeroot 
has the option of detecting when this limitation is about to trigger (at 
least, not in a sane way).

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

[Message part 2 (text/html, inline)]

Message #40 received at 544471@bugs.debian.org (full text, mbox, reply):

From: "Per W." <debbugs.perfide@safersignup.com>

To: 544471@bugs.debian.org

Subject: dh_pycentral fails to detect Python version with capabilities

Date: Wed, 25 Aug 2010 17:13:07 +0200

I think this is not a bug of fakeroot but of python-central!
If dh_pycentral wants to find the Python version somewhere in stderr it
should use a damn good parser!
I suggest to use one of the following statements instead of trying to
parse stderr!

# New in version 2.3.
$ python -c "import platform;print(platform.python_version())"
2.6.6rc2

# New in version 2.0.
$ python -c "import sys;print(sys.version_info)"
(2, 6, 6, 'candidate', 2)

# New in version 2.3.
$ python -c "import platform;print(platform.python_version_tuple())"
('2', '6', '6rc2')

# New in version 1.5.2.
$ python -c "import sys;print(hex(sys.hexversion))"
0x20606c2

# Should not be used as of http://docs.python.org/library/sys.html
$ python -c "import sys;print(sys.version)"
2.6.6rc2 (r266rc2:84114, Aug 18 2010, 07:33:44)
[GCC 4.4.5 20100816 (prerelease)]

BTW.
Calling dh_pycentral from a non exeisting directory results into the
same error.

Send a report that this bug log contains spam.