From: Andreas Schneider Date: Wed, 25 Sep 2024 07:19:44 +0000 (+0200) Subject: lib:ldb: Don't use RTLD_DEEPBIND by default X-Git-Tag: tdb-1.4.13~1050 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dc6927fdca2ad77dbcf212ef4d3ba0d118ec7bdf;p=thirdparty%2Fsamba.git lib:ldb: Don't use RTLD_DEEPBIND by default It should be off by default, as this is not needed by default. It crashes named on startup, if bind is built with jemalloc support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15643 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c index 5c970626206..08d251f9bdd 100644 --- a/lib/ldb/common/ldb_modules.c +++ b/lib/ldb/common/ldb_modules.c @@ -945,7 +945,7 @@ static int ldb_modules_load_path(const char *path, const char *version) int dlopen_flags; #ifdef RTLD_DEEPBIND - bool deepbind_enabled = (getenv("LDB_MODULES_DISABLE_DEEPBIND") == NULL); + bool deepbind_enabled = (getenv("LDB_MODULES_ENABLE_DEEPBIND") != NULL); #endif ret = stat(path, &st); @@ -981,21 +981,12 @@ static int ldb_modules_load_path(const char *path, const char *version) dlopen_flags = RTLD_NOW; #ifdef RTLD_DEEPBIND /* - * use deepbind if possible, to avoid issues with different - * system library variants, for example ldb modules may be linked - * against Heimdal while the application may use MIT kerberos. + * On systems where e.g. different kerberos libraries are used, like a + * mix of Heimdal and MIT Kerberos, LDB_MODULES_ENABLE_DEEPBIND should + * be set to avoid issues. * - * See the dlopen manpage for details. - * - * One typical user is the bind_dlz module of Samba, - * but symbol versioning might be enough... - * - * We need a way to disable this in order to allow the - * ldb_*ldap modules to work with a preloaded socket wrapper. - * - * So in future we may remove this completely - * or at least invert the default behavior. - */ + * By default Linux distributions only have one Kerberos library. + */ if (deepbind_enabled) { dlopen_flags |= RTLD_DEEPBIND; } diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 26b1663b5b6..a0c4ec80f59 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -433,12 +433,6 @@ $ENV{UID_WRAPPER} = 1; # We are already hitting the limit, so double it. $ENV{NSS_WRAPPER_MAX_HOSTENTS} = 200; -# Disable RTLD_DEEPBIND hack for Samba bind dlz module -# -# This is needed in order to allow the ldb_*ldap module -# to work with a preloaded socket wrapper. -$ENV{LDB_MODULES_DISABLE_DEEPBIND} = 1; - my $socket_wrapper_dir; if ($opt_socket_wrapper) { $socket_wrapper_dir = SocketWrapper::setup_dir("$prefix_abs/w", $opt_socket_wrapper_pcap); diff --git a/selftest/wscript b/selftest/wscript index 52c34dcb88d..95e70706e63 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -333,9 +333,8 @@ def cmd_testonly(opt): asan_options += ":suppressions=${srcdir}/selftest/sanitizer/asan.supp" asan_options += " " - # And we need to disable RTLD_DEEPBIND in ldb and socket wrapper - no_leak_check = "LDB_MODULES_DISABLE_DEEPBIND=1 " - no_leak_check += "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1" + # We need to disable RTLD_DEEPBIND in socket wrapper + no_leak_check = "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1" no_leak_check += " " env.CORE_COMMAND = asan_options + no_leak_check + env.CORE_COMMAND