From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com> |
Cc: | Andres Freund <andres(at)anarazel(dot)de>, John Naylor <john(dot)naylor(at)enterprisedb(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [RFC] building postgres with meson |
Date: | 2021-10-14 23:04:27 |
Message-ID: | 909289.1634252667@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
I wrote:
> I recall that we figured out awhile ago that the environment gets trimmed
> when make (or whatever) executes some command via the shell; seemingly,
> Apple has decided that /bin/sh is a security-critical program that mustn't
> be run with a non-default DYLD_LIBRARY_PATH. Dunno if that helps you
> find where the damage is done exactly.
BTW, here's the evidence for this theory:
[tgl(at)pro ~]$ cat checkenv.c
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char **argv)
{
char *pth = getenv("DYLD_LIBRARY_PATH");
if (pth)
printf("DYLD_LIBRARY_PATH = %s\n", pth);
else
printf("DYLD_LIBRARY_PATH is unset\n");
return 0;
}
[tgl(at)pro ~]$ gcc checkenv.c
[tgl(at)pro ~]$ ./a.out
DYLD_LIBRARY_PATH is unset
[tgl(at)pro ~]$ export DYLD_LIBRARY_PATH=/Users/tgl/pginstall/lib
[tgl(at)pro ~]$ ./a.out
DYLD_LIBRARY_PATH = /Users/tgl/pginstall/lib
[tgl(at)pro ~]$ sh -c ./a.out
DYLD_LIBRARY_PATH is unset
[tgl(at)pro ~]$ ./a.out
DYLD_LIBRARY_PATH = /Users/tgl/pginstall/lib
[tgl(at)pro ~]$ bash -c ./a.out
DYLD_LIBRARY_PATH is unset
You have to check the environment using an "unprivileged" program.
If you try to examine the environment using, say, "env", you will get
very misleading results. AFAICT, /usr/bin/env is *also* considered
security-critical, because I cannot get it to ever report that
DYLD_LIBRARY_PATH is set.
Hmm ... /usr/bin/perl seems to act the same way. It can see
ENV{'PATH'} but not ENV{'DYLD_LIBRARY_PATH'}.
This may indicate that they've applied this policy on a blanket
basis to everything in /bin and /usr/bin (and other system
directories, maybe), rather than singling out the shell.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2021-10-14 23:15:01 | Re: [RFC] building postgres with meson |
Previous Message | Anders Kaseorg | 2021-10-14 23:04:14 | [PATCH] Prefer getenv("HOME") to find the UNIX home directory |