Debian Bug report logs - #711623
ssh-agent: Removes LD_LIBRARY_PATH from environment

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ralf Jung <post@ralfj.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sat, 08 Jun 2013 13:52:03 +0200

Package: openssh-client
Version: 1:6.2p2-3
Severity: critical
Justification: breaks unrelated software

Dear Maintainer,

ssh-agent removes the $LD_LIBRARY_PATH from the environment it was started in. This is fatal,
for example when starting a session with a desktop installed to a different $PREFIX for development
pruposes. I have KDE master compiled and installed to /opt/kde-master, and I set up my .xsessionrc
to prepare the environment for executing the entire KDE session from this prefix. However, ssh-agent
removes the $LD_LIBRARY_PATH (which was set to /opt/kde-master/lib) from the environment before
/usr/bin/startkde is launched, thereby breaking my session in funny and subtle ways. Most binaries
have an RPATH set, but some open libraries or plugins later and end up pulling incompatible .so
files from /usr/lib.
Please refrain from breaking the carefully set-up environment ssh-agent is started in.

I verified that it is ssh-agent which breaks the environment by commenting out the contents of
90x11-common_ssh-agent.

Kind regards
Ralf


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.16.10
ii  libc6             2.17-3
ii  libedit2          2.11-20080614-5
ii  libgssapi-krb5-2  1.10.1+dfsg-5
ii  libselinux1       2.1.13-2
ii  libssl1.0.0       1.0.1e-3
ii  passwd            1:4.1.5.1-1
ii  zlib1g            1:1.2.8.dfsg-1

Versions of packages openssh-client recommends:
ii  xauth  1:1.0.7-1

Versions of packages openssh-client suggests:
pn  keychain                   <none>
ii  ksshaskpass [ssh-askpass]  0.5.3-1+b1
pn  libpam-ssh                 <none>
pn  monkeysphere               <none>
ii  openssh-blacklist          0.4.1+nmu1
ii  openssh-blacklist-extra    0.4.1+nmu1

-- no debconf information

Message #12 received at 711623-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 711623-close@bugs.debian.org

Subject: Re: Bug#711623: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sat, 8 Jun 2013 14:37:56 +0100

Control: tag -1 wontfix

On Sat, Jun 08, 2013 at 01:52:03PM +0200, Ralf Jung wrote:
> Package: openssh-client
> Version: 1:6.2p2-3
> Severity: critical
> Justification: breaks unrelated software
> 
> Dear Maintainer,
> 
> ssh-agent removes the $LD_LIBRARY_PATH from the environment it was started in.

This is a direct consequence of it being setgid, which is required to
protect the keys it stores from being retrievable using ptrace attacks;
I'm afraid that's much more important.  It's also documented in
README.Debian.  If you need to use LD_LIBRARY_PATH in conjunction with
ssh-agent, you'll need to put it in something underneath ssh-agent in
the process tree.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #17 received at 711623@bugs.debian.org (full text, mbox, reply):

From: Ralf Jung <post@ralfj.de>

To: Colin Watson <cjwatson@debian.org>, 711623@bugs.debian.org

Subject: Re: Re: Bug#711623: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sat, 08 Jun 2013 16:55:46 +0200

Hi,

>> ssh-agent removes the $LD_LIBRARY_PATH from the environment it was started in.
> 
> This is a direct consequence of it being setgid, which is required to
> protect the keys it stores from being retrievable using ptrace attacks;
> I'm afraid that's much more important.  It's also documented in
> README.Debian.  If you need to use LD_LIBRARY_PATH in conjunction with
> ssh-agent, you'll need to put it in something underneath ssh-agent in
> the process tree.
Hm, I see. Wouldn't it be possible to script this in a way that just
ssh-agent runs without the previously set LD_LIBRARY_PATH, but the
program it runs maintains the previous path? Something like, or
equivalent to:
eval `ssh-agent -s`
the-program-to-run

Unfortunately, the issue is not solved by saying "just do the setup
inside the exec'ed function". The program typically run "inside"
ssh-agent is dbus-launch (it's added to the $STARTUP first), so this
removal of environment variables means that dbus-activated programs use
an incorrect environment. The README gives no indication how this could
be solved, and actually the only idea I could come up with involves
changing the global /etc/X11/Xsession.d files, which should not be
necessary just to properly run a desktop in a different environment.
What about the askpass program? It's a Qt/KDE program as well and should
therefore have the same environment as the session. In fact, askpass and
pinentry (for gpg) were the initial reason why I did all this
environment set-up in .xsessionrc, not in .xsession - at least one of
them didn't work properly otherwise.
The net effect of this behaviour is that .xsessionrc is hardly useful.

IMHO this issue should be mentioned in the manpage as well. That's where
I looked for any documentation about any effects on the environment, and
found none related to this problem.


Kind regards
Ralf

Message #22 received at 711623@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Ralf Jung <post@ralfj.de>, 711623@bugs.debian.org

Subject: Re: Bug#711623: Re: Bug#711623: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sat, 8 Jun 2013 22:16:59 +0100

On Sat, Jun 08, 2013 at 04:55:46PM +0200, Ralf Jung wrote:
> Hm, I see. Wouldn't it be possible to script this in a way that just
> ssh-agent runs without the previously set LD_LIBRARY_PATH, but the
> program it runs maintains the previous path? Something like, or
> equivalent to:
> eval `ssh-agent -s`
> the-program-to-run

Well, x11-common is welcome to implement it that way if it chooses to
and if it actually works; note that the file
/etc/X11/Xsession.d/90x11-common_ssh-agent is not actually shipped by
the openssh packages themselves, but rather by x11-common ...

See bug #573325, filed a while back for this.  Note that there are
problems documented in that bug with making sure that ssh-agent has an
appropriate lifetime, so it's not just as simple as the approach you
suggest.  (The approach used in the current Ubuntu development release
where ssh-agent runs as an Upstart user job fixes this, but it may be
some time before we can persuade Debian to switch to this!)

> IMHO this issue should be mentioned in the manpage as well. That's where
> I looked for any documentation about any effects on the environment, and
> found none related to this problem.

Fair enough; I've added something similar to the text in README.Debian
there for my next upload.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #27 received at 711623@bugs.debian.org (full text, mbox, reply):

From: Ralf Jung <post@ralfj.de>

To: Colin Watson <cjwatson@debian.org>

Cc: 711623@bugs.debian.org, 573325@bugs.debian.org

Subject: Re: Bug#711623: Re: Bug#711623: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sun, 09 Jun 2013 12:23:16 +0200

Hi,

> Well, x11-common is welcome to implement it that way if it chooses to
> and if it actually works; note that the file
> /etc/X11/Xsession.d/90x11-common_ssh-agent is not actually shipped by
> the openssh packages themselves, but rather by x11-common ...
> 
> See bug #573325, filed a while back for this.  Note that there are
> problems documented in that bug with making sure that ssh-agent has an
> appropriate lifetime, so it's not just as simple as the approach you
> suggest. 
Sure, that was just meant as an indication of the desired semantics. A
proper solution has actually been suggested in the bug you linked: Add a
(non-setgid) ssh-agent-launch wrapper, which fork()s to exec ssh-agent,
applies the environment changes return by that one, then runs the
program given as argument, and when that program quits, it kills
ssh-agent. That way, no setgid process is in the parent-child path to
the user session, and process lifetime is handled correctly.

> (The approach used in the current Ubuntu development release
> where ssh-agent runs as an Upstart user job fixes this, but it may be
> some time before we can persuade Debian to switch to this!)
Yeah, upstart/systemd user sessions are the "real" solution, but well,
we have to work with what's currently available ;-)

> Fair enough; I've added something similar to the text in README.Debian
> there for my next upload.
Thanks.

Kind regards
Ralf

Message #32 received at 711623@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: 711623@bugs.debian.org

Subject: better wrapper idea

Date: Mon, 1 Jul 2013 15:05:19 +0200 (CEST)

#!/bin/sh
exec ssh-agent env LD_LIBRARY_PATH="$LD_LIBRARY_PATH" "$@"

Doing ssh-agent in the background and killing it if the
children exit is *not* the same as doing it this way…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Message #37 received at 711623@bugs.debian.org (full text, mbox, reply):

From: Jerome BENOIT <calculus@rezozer.net>

To: 711623@bugs.debian.org

Subject: ssh-agent: Removes LD_LIBRARY_PATH from environment

Date: Sun, 07 Jul 2013 19:03:24 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

have you considered to play with libpam-ssh ?

Best wishes,
Jerome
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJR2Z9cAAoJEIC/w4IMSybj0+gIAKh0LVvdrFZYUIROKqIlDFhE
Cu96TJ/s1bwTZdNncdx2fyswS9NBxr0I34xkd3/4JGGMOHNdLd/uzhjdBcG9Sguy
GO8LOf28sq7cSCPxHHqe7cvczSiQ2gtUUZaCXMaZF6SlmmOsU4hET6H6jFhB6P3R
+iuEWnu+71Agr3fZIZFxK7idZCIJPdodAST8j9abKG1z9PSEt6ii610pt+aQvC5/
xzDR5o567rrVt8HjadiwkcoPPS7/wQ2egYl71UtxJE3UkfhXWBgFJTf5Q4DcMpU9
w8usu/eM8u5kFHyUZKID2ioS8aD6h6W3kZ4hwtfbM8sRlOUPx8x2WyA3Z5hAeYg=
=oxH9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.