Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Posted Oct 20, 2023 0:43 UTC (Fri) by tilt12345678 (subscriber, #126336)Parent article: Toward safer GNU C Library tunable handling
Shouldn't all this configuration go into a configuration file in /etc that has an expressive, descriptive language stating how a system behaves totally instead of offering the possibility to inject settings all over the place via environment?
Posted Oct 20, 2023 7:45 UTC (Fri)
by taladar (subscriber, #68407)
[Link] (5 responses)
However I agree, the environment variable system seems the wrong place for this, especially considering the low level nature of these settings and the issues around setting and getting environment variables from different threads of the same process without crashes.
Posted Oct 20, 2023 17:14 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (2 responses)
The main takeaway for me is that a lot of tunable env vars like this may not be well documented on systems in a way that the millions and millions of people who admin and develop on Linux are generally aware they even exist, let alone could list the various settings and describe what they do. glibc is probably not the only library which has optional behavior which can be set by environment variables that could break a program, which the developers and users aren't taking sufficient precaution against because they aren't aware of the risk.
Posted Oct 22, 2023 16:03 UTC (Sun)
by dezgeg (subscriber, #92243)
[Link] (1 responses)
Command line would be much preferable, for example for Haskell code compiled with GHC you can pass 'tunables' to the GHC runtime by passing something like '+RTS -M128m -RTS' on the command line. Of course that GHC solution has the problem of in-band signalling.
At least for dynamically linked programs one neat way would be to explicitly invoke the dynamic linker and pass the tunables there, just like it already supports flags like --preload (ie. instead of 'LD_PRELOAD=foo.so /bin/ls' one can do '/lib64/ld-linux-x86-64.so.2 --preload foo.so /bin/ls').
Posted Nov 2, 2023 14:20 UTC (Thu)
by roblucid (guest, #48964)
[Link]
If your program system breaks it is written badly. Just sanitise the environment when you start your fragile application. Set things like PATH, adjust variables if required. Users are allowed to break their session.
Requiring every program anyone ever writes to pass through by CLI argument something like terminal type, printing width or display device is ridiculous.
Posted Oct 22, 2023 17:17 UTC (Sun)
by tilt12345678 (subscriber, #126336)
[Link]
Problem 1: The method of applying tunables via environment is intrusive on a systems design/management level.
Problem 2: Being able to apply tunables via every process's environment makes a system's behavior less clear.
Problem 3: The current design of the tunables configuration interface offers a questionable mixup of debugging and performance settings.
I am aware that my ramblings do not include even a hint of an idea of how to actually accomplish such improvements, because frankly i have none!
Posted Nov 2, 2023 13:39 UTC (Thu)
by roblucid (guest, #48964)
[Link]
It's hard to think of a valid use of environment passed in. For instance even dynamic linking with a local directory, you would optionally at build time insert a fixed directory to the default runtime .so search path. You could not rely on users not breaking environment.
This sounds like GNU lost the plot on this, when ld.so has an altered [ui]d it is simply asking for trouble to worry about a user's POSIXLY_CORRECT setting or other options that might introduce unanticipated behaviour.
Posted Oct 20, 2023 16:48 UTC (Fri)
by matthias (subscriber, #94967)
[Link] (2 responses)
And seeing that there are actually security holes in the parsing code for a pre-allocated very simple key-value store (environment variables), I can only imagine how hand crafted low level file parsing code without access to malloc would look like. Existing high level libraries will not be of much help in this restricted environment.
And while I do not really like environment variables, the problems are really not in the interface, but the language used to access the information. There will not be less buffer overflows in the checking code just because we switch from environment variables to files. The only real solution is to switch to a language that enforces bound checking.
And the problem that this kind of tunables crosses a security boundary for SUID files will also not go away if we switch the interface. We really should get rid of SUID. There is way too much state that crosses the boundary during fork+exec, not only the environment variables.
Posted Nov 2, 2023 13:24 UTC (Thu)
by sammythesnake (guest, #17693)
[Link]
Posted Nov 2, 2023 14:43 UTC (Thu)
by roblucid (guest, #48964)
[Link]
Such programs are supposed to be small, carefully written and sanitise all input including the environment. Glibc tunables broke that contract.
Things worked before these GNU tunables, it's unclear why ld.so is EVEN looking at them when exec changes the effective [ug]id.
It's not environment that's broken it's a badly thought out feature created by glibc.
Posted Oct 24, 2023 15:00 UTC (Tue)
by rwmj (subscriber, #5474)
[Link]
Posted Oct 28, 2023 1:27 UTC (Sat)
by siddhesh (guest, #64914)
[Link]
Posted Nov 2, 2023 13:52 UTC (Thu)
by roblucid (guest, #48964)
[Link]
The whole point of environment was to allow users to alter their preferences and also have things like their terminal type and X-server work.
BUT privileged programs with an effective [ug]id should not be affected by environmental whims of the misguided or malicious.
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
When running with effective UID privilege the environment should not be trusted just as any user input needs careful verification.
Similarly you don't want low level routines continually opening config files to simulate the process environment.
Toward safer GNU C Library tunable handling
Being able to tune via environment is convenient, but - to state the obvious - it actually requires modifying the environment. Therefore, to be able to tune/trace every process, every potential process start has to be wrapped individually. A central policy mechanism could relieve system engineering from re-implementing this for every process that can be run in a system and that should be tuned/traced, making the tunables accessible where they right now are not (think containerized workloads etc.)
Given the current tuning configuration mechanism, it is a non-trivial task to state how a system currently actually behaves. Many corner cases have to be considered. Just some examples: Can a process apply tunables to itself by modifying its own environment? Is it safe to state that, if a process's environment contains a tunable setting X, then X is actually effective? Is it safe to state that X applies to all threads of X or only future threads? Also consider the special rules that apply to SUID/SGID binaries. Etc, etc. Much like discretionary access control, it's another semantical nightmare in audit situations.
The current set of tunables mixes settings for tuning (e.g. hugeTLB) with settings for tracing (e.g. malloc check). A central policy syntax maybe could allow for a splitting of these substantially different activities into separate mechanisms, or maybe just a "sounder" design in general.
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
It's self inflicted because it's providing features that are highly dubious in programs with setuid/setgid bit set.
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Toward safer GNU C Library tunable handling
Personal choices in ~/. profile are desirable, users are free to break their session settings.