I read some articles about problems in using the LD_LIBRARY_PATH, even as a part of a wrapper script:
我读了一些关于使用LD_LIBRARY_PATH的问题的文章,甚至作为包装脚本的一部分:
http://linuxmafia.com/faq/Admin/ld-lib-path.html
http://linuxmafia.com/faq/Admin/ld-lib-path.html
http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the
http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the
In this case - what are the recommended alternatives?
在这种情况下 - 推荐的替代品是什么?
Thanks.
谢谢。
4 个解决方案
#1
11
You can try adding:
您可以尝试添加:
-Wl,-rpath,path/to/lib
to the linker options. This will save you the need to worry about the LD_LIBRARY_PATH environment variable, and you can decide at compile time to point to a specific library.
到链接器选项。这将节省您担心LD_LIBRARY_PATH环境变量的需要,并且您可以在编译时决定指向特定库。
For a path relative to the binary, you can use $ORIGIN, eg
对于相对于二进制文件的路径,可以使用$ ORIGIN,例如
-Wl,-rpath,'$ORIGIN/../lib'
($ORIGIN may not work when statically linking to shared libraries with ld, use -Wl,--allow-shlib-undefined to fix this)
(当使用ld静态链接到共享库时,$ ORIGIN可能不起作用,使用-Wl, - allow-shlib-undefined来修复此问题)
#2
6
the answer is in the first article you quoted.
答案在你引用的第一篇文章中。
In UNIX the location of a library can be specified with the -L dir option to the compiler. .... As an alternative to using the -L and -R options, you can set the environment variable LD_RUN_PATH before compiling the code.
在UNIX中,可以使用编译器的-L dir选项指定库的位置。 ....作为使用-L和-R选项的替代方法,您可以在编译代码之前设置环境变量LD_RUN_PATH。
#3
6
I've always set LD_LIBRARY_PATH, and I've never had a problem.
我总是设置LD_LIBRARY_PATH,我从来没有遇到过问题。
To quote you first link:
引用第一个链接:
When should I set LD_LIBRARY_PATH? The short answer is never. Why? Some users seem to set this environment variable because of bad advice from other users or badly linked code that they do not know how to fix.
我什么时候应该设置LD_LIBRARY_PATH?简短的回答永远不会。为什么?有些用户似乎设置了这个环境变量,因为来自其他用户的错误建议或者他们不知道如何修复的链接错误。
That is NOT what I call a definitive problem statement. In fact it brings to mind I don't like it. [YouTube, but SFW].
这不是我所说的最终问题陈述。事实上,我想到我不喜欢它。 [YouTube,但SFW]。
That second blog entry (http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the) is much more forthcoming on the nature of the problem... which appears to be, in a nutshell, library version *es ThisProgram requires Foo1.2, but ThatProgram requires Foo1.3, hence you can't run both programs (easily). Note that most of these problems are negated by a simple wrapper script which sets the LD_LIBRARY_PATH for just the executing shell, which is (almost always) a separate child process of interactive shell.
第二篇博客文章(http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the)对于问题的本质更为明确......简而言之,图书馆版本冲突ThisProgram需要Foo1。 2,但ThatProgram需要Foo1.3,因此你不能运行这两个程序(很容易)。请注意,大多数这些问题都被一个简单的包装器脚本所抵消,该脚本只为执行的shell设置LD_LIBRARY_PATH,它几乎总是一个交互式shell的子进程。
Note also that the alternatives are pretty well explained in the post.
另请注意,在帖子中很好地解释了备选方案。
I'm just confused as to why you would post a question containing links to articles which apparently answer your question... Do you have a specific question which wasn't covered (clearly enough) in either of those articles?
我很困惑为什么你会发布一个问题,其中包含明显回答你问题的文章的链接......你是否有一个特定的问题在这两篇文章中没有涵盖(显然足够)?
#4
1
I find that the existing answers to do actually answer the question in a straightforward way:
我发现现有的答案确实以一种简单的方式回答了这个问题:
-
LD_RUN_PATHis used by the linker (seeld) at the time you link your software. It is used only if you have no-rpath ...on the command line (-Wl,rpath ...on the gcc command line). The path(s) defined in that variable are added to theRPATHentry in your ELF binary file. (You can see that RPATH usingobjdump -x binary-filename—in most cases it is not there though! It appears in my development binaries, but once the final version gets installedRPATHgets removed.)链接软件时链接器使用LD_RUN_PATH(请参阅ld)。仅当命令行上没有-rpath ...(gcc命令行上的-Wl,rpath ...)时才使用它。该变量中定义的路径将添加到ELF二进制文件中的RPATH条目中。 (你可以看到RPATH使用objdump -x binary-filename-在大多数情况下它不存在!它出现在我的开发二进制文件中,但是一旦安装了最终版本,RPATH就会被删除。)
-
LD_LIBRARY_PATHis used at runtime, when you want to specify a directory that the dynamic linker (seeldd) needs to search for libraries. Specifying the wrong path could lead to loading the wrong libraries. This is used in addition to theRPATHvalue defined in your binary (as in 1.)当您要指定动态链接器(请参阅ldd)需要搜索库的目录时,LD_LIBRARY_PATH在运行时使用。指定错误的路径可能导致加载错误的库。除了在二进制文件中定义的RPATH值之外,还使用它(如在1.中)
LD_RUN_PATH really causes no security threat unless you are a programmer and don't know how to use it. As I am using CMake to build my software, the -rpath is used all the time. That way I do not have to install everything to run my software. ldd can find all the .so files automatically. (the automake environment was supposed to do that too, but it was not very good at it, in comparison.)
LD_RUN_PATH确实不会导致安全威胁,除非您是程序员并且不知道如何使用它。当我使用CMake构建我的软件时,-rpath一直被使用。这样我就不必安装所有东西来运行我的软件。 ldd可以自动找到所有.so文件。 (autoke环境应该也是这样做的,但相比之下它并不是很好。)
LD_LIBRARY_PATH is a runtime variable and thus you have to be careful with it. That being said, many shared object would be really difficult to deal with if we did not have that special feature. Whether it is a security threat, probably not. If a hacker takes a hold of your computer, LD_LIBRARY_PATH is accessible to that hacker anyway. What could happen is that you use the wrong path(s) in that variable, your binary may not load, but if it loads you may end up with a crashing binary or at least a binary that does not work quite right. One concern is that over time you get new versions of the library and you are likely to forget to remove the LD_LIBRARY_PATH which means you may be using an unsecure version of the library.
LD_LIBRARY_PATH是一个运行时变量,因此您必须小心它。话虽这么说,如果我们没有这个特殊功能,很多共享对象将很难处理。是否是安全威胁,可能不是。如果黑客占用了您的计算机,那么无论如何都可以访问该黑客的LD_LIBRARY_PATH。可能发生的是你在该变量中使用了错误的路径,你的二进制文件可能无法加载,但如果它加载,你可能最终会遇到崩溃的二进制文件或至少一个不能正常工作的二进制文件。一个问题是,随着时间的推移,您将获得新版本的库,并且您可能忘记删除LD_LIBRARY_PATH,这意味着您可能正在使用不安全的库版本。
The one other possibility for security is if the hacker installs a fake library of the same name as what the binary is searching, library that includes all the same functions, but that has some of those functions replaced with sneaky code. He can get that library loaded by changing the LD_LIBRARY_PATH variable. Then it will eventually get executed by the hacker. Again, if the hacker can add such a library to your system, he's already in and probably does not need to do anything like that in the first place (since he's in he has full control of your system anyway.) Because in reality, if the hacker can only place the library in his account he won't do anything much (unless your Unix box is not safe overall...) If the hacker can replace one of your /usr/lib/... libraries, he already has full access to your system. So LD_LIBRARY_PATH is not needed.
安全性的另一种可能性是,如果黑客安装了与二进制文件搜索名称相同的虚假库,包含所有相同功能的库,但其中一些功能被欺骗性代码替换。他可以通过更改LD_LIBRARY_PATH变量来加载该库。然后它最终会被黑客执行。同样,如果黑客可以将这样的库添加到您的系统中,那么他已经进入并且可能首先不需要做任何类似的事情(因为他完全控制了您的系统。)因为实际上,如果黑客只能将库放在他的帐户中,他不会做任何事情(除非你的Unix盒子总体上不安全......)如果黑客可以替换你的/ usr / lib / ...库之一,他已经拥有对您系统的完全访问权限。所以不需要LD_LIBRARY_PATH。
#1
11
You can try adding:
您可以尝试添加:
-Wl,-rpath,path/to/lib
to the linker options. This will save you the need to worry about the LD_LIBRARY_PATH environment variable, and you can decide at compile time to point to a specific library.
到链接器选项。这将节省您担心LD_LIBRARY_PATH环境变量的需要,并且您可以在编译时决定指向特定库。
For a path relative to the binary, you can use $ORIGIN, eg
对于相对于二进制文件的路径,可以使用$ ORIGIN,例如
-Wl,-rpath,'$ORIGIN/../lib'
($ORIGIN may not work when statically linking to shared libraries with ld, use -Wl,--allow-shlib-undefined to fix this)
(当使用ld静态链接到共享库时,$ ORIGIN可能不起作用,使用-Wl, - allow-shlib-undefined来修复此问题)
#2
6
the answer is in the first article you quoted.
答案在你引用的第一篇文章中。
In UNIX the location of a library can be specified with the -L dir option to the compiler. .... As an alternative to using the -L and -R options, you can set the environment variable LD_RUN_PATH before compiling the code.
在UNIX中,可以使用编译器的-L dir选项指定库的位置。 ....作为使用-L和-R选项的替代方法,您可以在编译代码之前设置环境变量LD_RUN_PATH。
#3
6
I've always set LD_LIBRARY_PATH, and I've never had a problem.
我总是设置LD_LIBRARY_PATH,我从来没有遇到过问题。
To quote you first link:
引用第一个链接:
When should I set LD_LIBRARY_PATH? The short answer is never. Why? Some users seem to set this environment variable because of bad advice from other users or badly linked code that they do not know how to fix.
我什么时候应该设置LD_LIBRARY_PATH?简短的回答永远不会。为什么?有些用户似乎设置了这个环境变量,因为来自其他用户的错误建议或者他们不知道如何修复的链接错误。
That is NOT what I call a definitive problem statement. In fact it brings to mind I don't like it. [YouTube, but SFW].
这不是我所说的最终问题陈述。事实上,我想到我不喜欢它。 [YouTube,但SFW]。
That second blog entry (http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the) is much more forthcoming on the nature of the problem... which appears to be, in a nutshell, library version *es ThisProgram requires Foo1.2, but ThatProgram requires Foo1.3, hence you can't run both programs (easily). Note that most of these problems are negated by a simple wrapper script which sets the LD_LIBRARY_PATH for just the executing shell, which is (almost always) a separate child process of interactive shell.
第二篇博客文章(http://blogs.oracle.com/ali/entry/avoiding_ld_library_path_the)对于问题的本质更为明确......简而言之,图书馆版本冲突ThisProgram需要Foo1。 2,但ThatProgram需要Foo1.3,因此你不能运行这两个程序(很容易)。请注意,大多数这些问题都被一个简单的包装器脚本所抵消,该脚本只为执行的shell设置LD_LIBRARY_PATH,它几乎总是一个交互式shell的子进程。
Note also that the alternatives are pretty well explained in the post.
另请注意,在帖子中很好地解释了备选方案。
I'm just confused as to why you would post a question containing links to articles which apparently answer your question... Do you have a specific question which wasn't covered (clearly enough) in either of those articles?
我很困惑为什么你会发布一个问题,其中包含明显回答你问题的文章的链接......你是否有一个特定的问题在这两篇文章中没有涵盖(显然足够)?
#4
1
I find that the existing answers to do actually answer the question in a straightforward way:
我发现现有的答案确实以一种简单的方式回答了这个问题:
-
LD_RUN_PATHis used by the linker (seeld) at the time you link your software. It is used only if you have no-rpath ...on the command line (-Wl,rpath ...on the gcc command line). The path(s) defined in that variable are added to theRPATHentry in your ELF binary file. (You can see that RPATH usingobjdump -x binary-filename—in most cases it is not there though! It appears in my development binaries, but once the final version gets installedRPATHgets removed.)链接软件时链接器使用LD_RUN_PATH(请参阅ld)。仅当命令行上没有-rpath ...(gcc命令行上的-Wl,rpath ...)时才使用它。该变量中定义的路径将添加到ELF二进制文件中的RPATH条目中。 (你可以看到RPATH使用objdump -x binary-filename-在大多数情况下它不存在!它出现在我的开发二进制文件中,但是一旦安装了最终版本,RPATH就会被删除。)
-
LD_LIBRARY_PATHis used at runtime, when you want to specify a directory that the dynamic linker (seeldd) needs to search for libraries. Specifying the wrong path could lead to loading the wrong libraries. This is used in addition to theRPATHvalue defined in your binary (as in 1.)当您要指定动态链接器(请参阅ldd)需要搜索库的目录时,LD_LIBRARY_PATH在运行时使用。指定错误的路径可能导致加载错误的库。除了在二进制文件中定义的RPATH值之外,还使用它(如在1.中)
LD_RUN_PATH really causes no security threat unless you are a programmer and don't know how to use it. As I am using CMake to build my software, the -rpath is used all the time. That way I do not have to install everything to run my software. ldd can find all the .so files automatically. (the automake environment was supposed to do that too, but it was not very good at it, in comparison.)
LD_RUN_PATH确实不会导致安全威胁,除非您是程序员并且不知道如何使用它。当我使用CMake构建我的软件时,-rpath一直被使用。这样我就不必安装所有东西来运行我的软件。 ldd可以自动找到所有.so文件。 (autoke环境应该也是这样做的,但相比之下它并不是很好。)
LD_LIBRARY_PATH is a runtime variable and thus you have to be careful with it. That being said, many shared object would be really difficult to deal with if we did not have that special feature. Whether it is a security threat, probably not. If a hacker takes a hold of your computer, LD_LIBRARY_PATH is accessible to that hacker anyway. What could happen is that you use the wrong path(s) in that variable, your binary may not load, but if it loads you may end up with a crashing binary or at least a binary that does not work quite right. One concern is that over time you get new versions of the library and you are likely to forget to remove the LD_LIBRARY_PATH which means you may be using an unsecure version of the library.
LD_LIBRARY_PATH是一个运行时变量,因此您必须小心它。话虽这么说,如果我们没有这个特殊功能,很多共享对象将很难处理。是否是安全威胁,可能不是。如果黑客占用了您的计算机,那么无论如何都可以访问该黑客的LD_LIBRARY_PATH。可能发生的是你在该变量中使用了错误的路径,你的二进制文件可能无法加载,但如果它加载,你可能最终会遇到崩溃的二进制文件或至少一个不能正常工作的二进制文件。一个问题是,随着时间的推移,您将获得新版本的库,并且您可能忘记删除LD_LIBRARY_PATH,这意味着您可能正在使用不安全的库版本。
The one other possibility for security is if the hacker installs a fake library of the same name as what the binary is searching, library that includes all the same functions, but that has some of those functions replaced with sneaky code. He can get that library loaded by changing the LD_LIBRARY_PATH variable. Then it will eventually get executed by the hacker. Again, if the hacker can add such a library to your system, he's already in and probably does not need to do anything like that in the first place (since he's in he has full control of your system anyway.) Because in reality, if the hacker can only place the library in his account he won't do anything much (unless your Unix box is not safe overall...) If the hacker can replace one of your /usr/lib/... libraries, he already has full access to your system. So LD_LIBRARY_PATH is not needed.
安全性的另一种可能性是,如果黑客安装了与二进制文件搜索名称相同的虚假库,包含所有相同功能的库,但其中一些功能被欺骗性代码替换。他可以通过更改LD_LIBRARY_PATH变量来加载该库。然后它最终会被黑客执行。同样,如果黑客可以将这样的库添加到您的系统中,那么他已经进入并且可能首先不需要做任何类似的事情(因为他完全控制了您的系统。)因为实际上,如果黑客只能将库放在他的帐户中,他不会做任何事情(除非你的Unix盒子总体上不安全......)如果黑客可以替换你的/ usr / lib / ...库之一,他已经拥有对您系统的完全访问权限。所以不需要LD_LIBRARY_PATH。